http2: handle 0-length headers better

Ignore headers with 0-length names and track memory for headers
the way we track it for other HTTP/2 session memory too.

This is intended to mitigate CVE-2019-9516.

PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

1 files changed, 25 insertions, 0 deletions

diff --git a/test/parallel/test-http2-zero-length-header.js b/test/parallel/test-http2-zero-length-header.js
new file mode 100644
index 0000000000..7b142d75f0
--- /dev/null
+++ b/test/parallel/test-http2-zero-length-header.js
@@ -0,0 +1,25 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const http2 = require('http2');
+
+const server = http2.createServer();
+server.on('stream', (stream, headers) => {
+  assert.deepStrictEqual(headers, {
+    ':scheme': 'http',
+    ':authority': `localhost:${server.address().port}`,
+    ':method': 'GET',
+    ':path': '/',
+    'bar': '',
+    '__proto__': null
+  });
+  stream.session.destroy();
+  server.close();
+});
+server.listen(0, common.mustCall(() => {
+  const client = http2.connect(`http://localhost:${server.address().port}/`);
+  client.request({ ':path': '/', '': 'foo', 'bar': '' }).end();
+}));