fastify-http-proxy icon indicating copy to clipboard operation
fastify-http-proxy copied to clipboard

Published 20 hours ago verified publisher icon fastify

Header encoding error for custom response headers: Invalid character in header content ["custom-response-header"]

Open jcbain opened this issue 11 months ago • 3 comments

Prerequisites

  • [X] I have written a descriptive issue title
  • [X] I have searched existing issues to ensure the bug has not already been reported

Fastify version

4.26.2

Plugin version

9.4.0

Node.js version

18

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

debian 10

Description

Our proxying mechanism is experiencing an uncaught exception for custom response header values that contain characters such as é with the following error message Invalid character in header content ["custom-response-header"]. When proxying traffic, we can't control all of the possible header values upstream services might decorate a reply with and I was curious on your all's thoughts on handling situations with these special characters.

Steps to Reproduce

Create an upstream that sets an invalid response header:

const httpProxy = require('@fastify/http-proxy');
const fastify = require('fastify');

const app = fastify();

app.get('/', (request, reply) => {
  reply.header('custom-response-header', 'éeek');
  return { message: 'hello world' }
});

app.listen({ port:4001 });

const proxy = fastify();

proxy.register(httpProxy, { 
   upstream: 'http://localhost:4001'
});

proxy.listen({ port: 6001 });

Expected Behavior

When looking at the RFC8187 section 3.2.1 (https://www.rfc-editor.org/rfc/rfc8187#section-3.2.1), it specifies the following, which seems as if it should be handled in some way instead of throwing.

      Note: Recipients should be prepared to handle encoding errors,
      such as malformed or incomplete percent escape sequences, or
      non-decodable octet sequences, in a robust manner.  This
      specification does not mandate any specific behavior; for
      instance, the following strategies are all acceptable:

      *  ignoring the parameter,

      *  stripping a non-decodable octet sequence, and

      *  substituting a non-decodable octet sequence by a replacement
         character, such as the Unicode character U+FFFD (Replacement
         Character).

jcbain avatar Mar 22 '24 00:03 jcbain