-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make HTTP_MAX_HEADER_SIZE configurable #24692
Comments
Major +1 here. Our large enterprise is not in the position to reduce the possible headers that flow through our infrastructure to 8k. Agree that patching node at compile time is not a good solution for us. |
We are running into the same issue. The drop from 80kb to 8kb is forcing us to stick with the previous version of node until this is resolved. This needs to be configurable either through a command line option, environment variable, or in code. A compile time flag is not a good solution for us (or probably 99% of other devs) either. |
Sorry if I missed the conversation somewhere, but do we have the option of updating I did a little experimenting (definitely not PR ready at this point) at cjihrig@e55765d, and was able to adjust the max header size. It breaks ABI, but I'm not sure if we worry about that with the http parser. cc: @bnoordhuis EDIT: I don't think I would attach the max header size to the parser, but maybe add a function that sets the global max header size. That shouldn't break ABI. (cjihrig@fb615c5) |
It's also a major issue that this went out as a patch level fix to LTS editions. This is a breaking change. Ideally this 8K hard limit commit should be reverted and new LTS releases cut. |
This affects us also, as our headers are right around 8k usually, but sometimes more (we have JWT tokens which account for > half of this). Our base Docker images were locked to a Node major version, so this breaking change appeared out of nowhere when the upstream image updated the Node minor version. |
http-parser does, as do distros that link node to http-parser dynamically. A possible way forward: split Drawback: there are some downstream projects that read |
@bnoordhuis what about a function that would allow setting the global max header size? It's not necessarily the most elegant solution ever, but I don't think it would break anything. |
That could work. Two issues with the patch:
|
A week of debugging finally brought me here.... |
The biggest problem with this 8KB header limit change in my opinion is that it also applies to outbound HTTP requests response header parsing. Without any sort of runtime maximum HTTP header size parameter that can be defined in http request, Node.js will start throwing HPE_HEADER_OVERFLOW exceptions when parsing responses from external HTTP API calls that have large response headers (which isn't so uncommon when you factor in JWT and CSP headers). |
@mcollina Have you seen the above comment? |
Thanks @Fishrock123 for the ping! I didn't see the message.
From a technical perspective, I think we could make this setting per-instance of the http parser once we switch to llhttp. I think should be our target. @siboulet Regarding the default limit, I'm open to increase it to 10KB or 12KB if it's common to have more than 8KB of headers data. Our assumption was that 8KB was plenty. Would you mind opening a new issue about changing the default value, and making some examples of requests that will trigger this? |
This commit adds http_parser_set_max_header_size() to the http-parser for overriding the compile time maximum HTTP header size. PR-URL: nodejs#24811 Fixes: nodejs#24692 Refs: nodejs/http-parser#453 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
Allow the maximum size of HTTP headers to be overridden from the command line. co-authored-by: Matteo Collina <[email protected]> PR-URL: nodejs#24811 Fixes: nodejs#24692 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
This commit adds http_parser_set_max_header_size(), which can override the compile time HTTP_MAX_HEADER_SIZE value. Fixes: nodejs/node#24692 Refs: nodejs/node#24811 PR-URL: nodejs#453 Reviewed-By: Ben Noordhuis <[email protected]>
I think this is one of the biggest issues with introducing a breaking change without updating the major version. What was working suddenly isn't, and I've yet to see any log files that showed me why the request was being rejected. Sending a 400 with no details and no server-side log doesn't feel like the right way to go about it. Maybe I'm missing where that log would be generated? |
This commit adds http_parser_set_max_header_size() to the http-parser for overriding the compile time maximum HTTP header size. PR-URL: #24811 Fixes: #24692 Refs: nodejs/http-parser#453 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
Allow the maximum size of HTTP headers to be overridden from the command line. co-authored-by: Matteo Collina <[email protected]> PR-URL: #24811 Fixes: #24692 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
This commit adds http_parser_set_max_header_size() to the http-parser for overriding the compile time maximum HTTP header size. PR-URL: nodejs#24811 Fixes: nodejs#24692 Refs: nodejs/http-parser#453 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Myles Borins <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Сковорода Никита Андреевич <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Jeremiah Senkpiel <[email protected]>
can anyone please tell me what header and query string limits are in i am getting 400 errors on requests with long query strings (eg ~15200 bytes) and wondering if it could be caused by some sort of "max limit". thank you. |
@oshihirii The limit for |
thank you very much @rosswilson. just to clarify - are query strings included in the 8kb header limit? also, wondering why: https://nodejs.org/api/http.html#http_http_maxheadersize states:
whereas the just curious to know when the 80kb limit was decreased to 8kb. thanks again. |
@oshihirii I'm not sure, perhaps someone else here can help you with those questions. |
According to my research (i.e. looking at the code) when opening the issue, the request-path (and thus the query-string) does count as header for nodejs, although the RFC for HTTP states otherwise (i.e. path is not a header). |
thanks very much @zauberpony. interesting, when i |
@oshihirii It does seem like query params are considered headers. Tried a long list of query params (about 10kb) on v10.12.0 vs v10.16.0 and 10.12 responds with a 200 while 10.16 gives a 400. |
It is because this change(big header limit) was applied in 10.14.0, so versions (within 10) small than 10.14.0 will return 200。 |
I tried numbers of node version
|
I'm getting these errors with long query strings! |
I suggest scrolling up and reading this very informative thread. To find out during runtime what your node instance is set to: EDIT: |
@gentlefox Where do you set Request options? Is there an example? (for sure this needs to be programmatic and not a CLI) |
Within your services. If unsure, compare with the Express.js code: You'll see Express.js as a convenience utility that simplifies using native Node.js. |
Is your feature request related to a problem? Please describe.
The recent limitation to HTTP_MAX_HEADER_SIZE (1860352) to mitigate CVE-2018-12121 is a problem for us.
We use headers internally to communicate the users' session, and sometimes (legitimate) requests from "outside" exceeed the 8 kb limit, too.
Given that JWT-strings easily exceed 1kb, I think the 8kb limit might be too little for others, too.
Or referrer-headers (especially in combination with payment-systems back-and-forth) tend to exceed 1kb, too.
Describe the solution you'd like
Have the possibility to configure the HTTP_MAX_HEADER_SIZE — at least via configuration-flag (at node-compile-time).
Setting this at run-time or at startup time would be nice, too.
Is setting this at compile time already possible? I couldn't find the option or best way to do it for node-gyp/gyp.
Describe alternatives you've considered
patching nodejs at compile time… not a good idea.
Reduce headers, yeah, would be nice, but that means completely changing parts of our architecture.
The text was updated successfully, but these errors were encountered: