fix(batch): add missing early return in nodeHttpBatchRpcResponse on non-POST#195
Conversation
|
All contributors have signed the CLA ✍️ ✅ |
|
I have read the CLA Document and I hereby sign the CLA |
|
Hi @teamchong @kentonv, could you take a look when you get a chance? This is the fix for the missing early return discussed in the HackerOne report. The change is minimal - two lines in |
commit: |
|
verified the fix locally. on main a GET to this endpoint never gets a response, the socket just stays open until timeout, and there's an unhandled ERR_HTTP_HEADERS_SENT rejection later when the pipeline runs anyway. with your branch it returns the 405 immediately. So the change is correct. two things to add before this can merge (snippets below are just a starting point, adjust as you see fit): a changeset (the release automation needs it):
---
"capnweb": patch
---
Fix nodeHttpBatchRpcResponse leaving the connection open and crashing with
ERR_HTTP_HEADERS_SENT on non-POST requests. It now returns 405 immediately.and a regression test, since this path had no coverage. In it("rejects non-POST requests with 405", async () => {
let response = await fetch(`http://${inject("testServerHost")}`, { method: "GET" });
expect(response.status).toBe(405);
await response.text();
});this hangs on main and passes with your fix, so it actually catches the regression. Thanks! |
🦋 Changeset detectedLatest commit: 3b3b24c The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
4883dd7 to
f684df8
Compare
|
Done - thanks for verifying the fix locally, @teamchong. Added both items: Confirmed locally that the new test passes on this branch. Should be ready for another look. |
|
Hmm looks good to me but the new test seems to be failing. |
…sponse Without response.end() and return, non-POST requests fell through into the RPC pipeline and crashed with ERR_HTTP_HEADERS_SENT. Forward options.headers on the 405 path so cross-origin browser clients receive CORS headers. Co-authored-by: Cursor <cursoragent@cursor.com>
f684df8 to
3b3b24c
Compare
Summary
nodeHttpBatchRpcResponsewrote a 405 status for non-POST requests viaresponse.writeHead(405, ...)but was missingresponse.end()andreturn. Execution fell through into the full RPC pipeline unconditionally, then crashed withERR_HTTP_HEADERS_SENTwhen the function later tried to write the 200 response — leaving the TCP connection open until timeout.The Fetch API counterpart (
newHttpBatchRpcResponse) was unaffected; it already returned a 405Responseimmediately.Changes
src/batch.ts: addresponse.end()andreturnafter the 405writeHeadcall innodeHttpBatchRpcResponseTest plan
nodeHttpBatchRpcResponseendpoint now receives a 405 with a closed connection and no RPC handlers are invoked