undici 7.17.0 → 7.18.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md
CHANGED
|
@@ -533,6 +533,12 @@ const { headers } = await request(url);
|
|
|
533
533
|
|
|
534
534
|
The [Fetch Standard](https://fetch.spec.whatwg.org) requires implementations to exclude certain headers from requests and responses. In browser environments, some headers are forbidden so the user agent remains in full control over them. In Undici, these constraints are removed to give more control to the user.
|
|
535
535
|
|
|
536
|
+
#### Content-Encoding
|
|
537
|
+
|
|
538
|
+
* https://www.rfc-editor.org/rfc/rfc9110#field.content-encoding
|
|
539
|
+
|
|
540
|
+
Undici limits the number of `Content-Encoding` layers in a response to **5** to prevent resource exhaustion attacks. If a server responds with more than 5 content-encodings (e.g., `Content-Encoding: gzip, gzip, gzip, gzip, gzip, gzip`), the fetch will be rejected with an error. This limit matches the approach taken by [curl](https://curl.se/docs/CVE-2022-32206.html) and [urllib3](https://github.com/advisories/GHSA-gm62-xv2j-4rw9).
|
|
541
|
+
|
|
536
542
|
#### `undici.upgrade([url, options]): Promise`
|
|
537
543
|
|
|
538
544
|
Upgrade to a different protocol. See [MDN - HTTP - Protocol upgrade mechanism](https://developer.mozilla.org/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism) for more details.
|
package/docs/docs/api/Client.md
CHANGED
|
@@ -26,7 +26,7 @@ Returns: `Client`
|
|
|
26
26
|
* **maxResponseSize** `number | null` (optional) - Default: `-1` - The maximum length of response body in bytes. Set to `-1` to disable.
|
|
27
27
|
* **pipelining** `number | null` (optional) - Default: `1` - The amount of concurrent requests to be sent over the single TCP/TLS connection according to [RFC7230](https://tools.ietf.org/html/rfc7230#section-6.3.2). Carefully consider your workload and environment before enabling concurrent requests as pipelining may reduce performance if used incorrectly. Pipelining is sensitive to network stack settings as well as head of line blocking caused by e.g. long running requests. Set to `0` to disable keep-alive connections.
|
|
28
28
|
* **connect** `ConnectOptions | Function | null` (optional) - Default: `null`.
|
|
29
|
-
* **strictContentLength** `Boolean` (optional) - Default: `true` - Whether to treat request content length mismatches as errors. If true, an error is thrown when the request content-length header doesn't match the length of the request body.
|
|
29
|
+
* **strictContentLength** `Boolean` (optional) - Default: `true` - Whether to treat request content length mismatches as errors. If true, an error is thrown when the request content-length header doesn't match the length of the request body. **Security Warning:** Disabling this option can expose your application to HTTP Request Smuggling attacks, where mismatched content-length headers cause servers and proxies to interpret request boundaries differently. This can lead to cache poisoning, credential hijacking, and bypassing security controls. Only disable this in controlled environments where you fully trust the request source.
|
|
30
30
|
* **autoSelectFamily**: `boolean` (optional) - Default: depends on local Node version, on Node 18.13.0 and above is `false`. Enables a family autodetection algorithm that loosely implements section 5 of [RFC 8305](https://tools.ietf.org/html/rfc8305#section-5). See [here](https://nodejs.org/api/net.html#socketconnectoptions-connectlistener) for more details. This option is ignored if not supported by the current Node version.
|
|
31
31
|
* **autoSelectFamilyAttemptTimeout**: `number` - Default: depends on local Node version, on Node 18.13.0 and above is `250`. The amount of time in milliseconds to wait for a connection attempt to finish before trying the next address when using the `autoSelectFamily` option. See [here](https://nodejs.org/api/net.html#socketconnectoptions-connectlistener) for more details.
|
|
32
32
|
* **allowH2**: `boolean` - Default: `false`. Enables support for H2 if the server has assigned bigger priority to it through ALPN negotiation.
|
|
@@ -49,7 +49,7 @@ Returns: `H2CClient`
|
|
|
49
49
|
- **maxConcurrentStreams**: `number` - Default: `100`. Dictates the maximum number of concurrent streams for a single H2 session. It can be overridden by a SETTINGS remote frame.
|
|
50
50
|
- **pipelining** `number | null` (optional) - Default to `maxConcurrentStreams` - The amount of concurrent requests sent over a single HTTP/2 session in accordance with [RFC-7540](https://httpwg.org/specs/rfc7540.html#StreamsLayer) Stream specification. Streams can be closed up by remote server at any time.
|
|
51
51
|
- **connect** `ConnectOptions | null` (optional) - Default: `null`.
|
|
52
|
-
- **strictContentLength** `Boolean` (optional) - Default: `true` - Whether to treat request content length mismatches as errors. If true, an error is thrown when the request content-length header doesn't match the length of the request body.
|
|
52
|
+
- **strictContentLength** `Boolean` (optional) - Default: `true` - Whether to treat request content length mismatches as errors. If true, an error is thrown when the request content-length header doesn't match the length of the request body. **Security Warning:** Disabling this option can expose your application to HTTP Request Smuggling attacks, where mismatched content-length headers cause servers and proxies to interpret request boundaries differently. This can lead to cache poisoning, credential hijacking, and bypassing security controls. Only disable this in controlled environments where you fully trust the request source.
|
|
53
53
|
- **autoSelectFamily**: `boolean` (optional) - Default: depends on local Node version, on Node 18.13.0 and above is `false`. Enables a family autodetection algorithm that loosely implements section 5 of [RFC 8305](https://tools.ietf.org/html/rfc8305#section-5). See [here](https://nodejs.org/api/net.html#socketconnectoptions-connectlistener) for more details. This option is ignored if not supported by the current Node version.
|
|
54
54
|
- **autoSelectFamilyAttemptTimeout**: `number` - Default: depends on local Node version, on Node 18.13.0 and above is `250`. The amount of time in milliseconds to wait for a connection attempt to finish before trying the next address when using the `autoSelectFamily` option. See [here](https://nodejs.org/api/net.html#socketconnectoptions-connectlistener) for more details.
|
|
55
55
|
|
|
@@ -20,7 +20,7 @@ function detectRuntimeFeatureByNodeModule (moduleName) {
|
|
|
20
20
|
lazyLoaders[moduleName]()
|
|
21
21
|
return true
|
|
22
22
|
} catch (err) {
|
|
23
|
-
if (err.code !== 'ERR_UNKNOWN_BUILTIN_MODULE') {
|
|
23
|
+
if (err.code !== 'ERR_UNKNOWN_BUILTIN_MODULE' && err.code !== 'ERR_NO_CRYPTO') {
|
|
24
24
|
throw err
|
|
25
25
|
}
|
|
26
26
|
return false
|
package/lib/web/fetch/index.js
CHANGED
|
@@ -2130,6 +2130,15 @@ async function httpNetworkFetch (
|
|
|
2130
2130
|
// "All content-coding values are case-insensitive..."
|
|
2131
2131
|
/** @type {string[]} */
|
|
2132
2132
|
const codings = contentEncoding ? contentEncoding.toLowerCase().split(',') : []
|
|
2133
|
+
|
|
2134
|
+
// Limit the number of content-encodings to prevent resource exhaustion.
|
|
2135
|
+
// CVE fix similar to urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206).
|
|
2136
|
+
const maxContentEncodings = 5
|
|
2137
|
+
if (codings.length > maxContentEncodings) {
|
|
2138
|
+
reject(new Error(`too many content-encodings in response: ${codings.length}, maximum allowed is ${maxContentEncodings}`))
|
|
2139
|
+
return true
|
|
2140
|
+
}
|
|
2141
|
+
|
|
2133
2142
|
for (let i = codings.length - 1; i >= 0; --i) {
|
|
2134
2143
|
const coding = codings[i].trim()
|
|
2135
2144
|
// https://www.rfc-editor.org/rfc/rfc9112.html#section-7.2
|