proxyReq event not triggered when Expect header is present

[jkxyz]

trafficstars

Hi all,

Regarding the changes made in https://github.com/http-party/node-http-proxy/pull/1447

The change causes unexpected behavior when handling requests from HTTP clients which send the Expect header. I would expect the proxyReq event to be triggered in this case.

Further, I'm sorry to report that this change doesn't address the vulnerability as it was originally described in the NPM security advisory: https://www.npmjs.com/advisories/1486

By modifying the curl script from the advisory, I'm able to send the same request without the Expect header present, which then triggers the proxyReq event on the proxy instance:

curl -XPOST -H 'Expect:' http://localhost:3000 -d "$(python -c 'print("x"*1025)')"

These changes therefore don't effectively address the security advisory.

However, I'm not seeing the exception described in the advisory when calling proxyReq.setHeader inside of a proxyReq event handler, even when sending a much larger request body. So I'm not sure if the vulnerability has been fixed elsewhere, or if it was ever present.