Skip to content

http: make req.headers have a null prototype#62900

Open
mcollina wants to merge 3 commits intonodejs:mainfrom
mcollina:http-server-headers-null-proto
Open

http: make req.headers have a null prototype#62900
mcollina wants to merge 3 commits intonodejs:mainfrom
mcollina:http-server-headers-null-proto

Conversation

@mcollina
Copy link
Copy Markdown
Member

@mcollina mcollina commented Apr 22, 2026

Make req.headers and req.trailers in http.createServer() have a null prototype, matching the existing behavior of headersDistinct and trailersDistinct. Also applies the same fix to HTTP/2 compatibility mode for req.trailers.

@mcollina
http: make req.headers have a null prototype
0a071d8 
Makes IncomingMessage.prototype.headers and trailers have a null
prototype, matching the existing behavior of headersDistinct and
trailersDistinct.

Fixes prototype pollution concerns where headers like __proto__
could be interpreted as prototype manipulation.

Refs: nodejs#61771

PR-URL: nodejs#61772
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 22, 2026

Review requested:

  • @nodejs/http
  • @nodejs/http2
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run. labels Apr 22, 2026
@mcollina mcollina added the semver-major PRs that contain breaking changes and should be released in the next major version. label Apr 22, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.63%. Comparing base (c3dd52a) to head (3a57b11).
⚠️ Report is 39 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62900      +/-   ##
==========================================
+ Coverage   89.61%   89.63%   +0.01%     
==========================================
  Files         706      706              
  Lines      219136   219203      +67     
  Branches    41981    41998      +17     
==========================================
+ Hits       196376   196478     +102     
+ Misses      14671    14618      -53     
- Partials     8089     8107      +18
Files with missing lines Coverage Δ
lib/_http_incoming.js 99.38% <100.00%> (ø)
lib/internal/http2/compat.js 96.93% <100.00%> (ø)

... and 71 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mcollina
http2/compat: make req.trailers have a null prototype
8c7c040 
In HTTP/2 compatibility mode, make request trailers have a null
prototype, matching the behavior of regular headers and trailers.
@mcollina mcollina force-pushed the http-server-headers-null-proto branch from fcc3070 to 8c7c040 Compare April 23, 2026 07:54
@panva panva added request-ci Add this label to start a Jenkins CI on a PR. author ready PRs that have at least one approval, no pending requests for changes, and a CI started. labels Apr 23, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 23, 2026
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 23, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/72887/

lpinca
lpinca reviewed Apr 23, 2026
View reviewed changes
Comment thread test/parallel/test-http-server-headers-null-proto.js
}));
}

// Test 2: req.trailers has a null prototype
Copy link
Copy Markdown
Member

@lpinca lpinca Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't see where this is checked, am I missing something?

@mcollina mcollina force-pushed the http-server-headers-null-proto branch from b202d30 to 6e4f221 Compare April 23, 2026 14:32
@mcollina mcollina force-pushed the http-server-headers-null-proto branch from 6e4f221 to 3a57b11 Compare April 23, 2026 15:27
@mcollina mcollina added the request-ci Add this label to start a Jenkins CI on a PR. label Apr 23, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 23, 2026
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 23, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/72897/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljharb ljharb ljharb approved these changes

@Qard Qard Qard approved these changes

@panva panva panva approved these changes

@lpinca lpinca lpinca approved these changes

@pimterry pimterry pimterry approved these changes

@watilde watilde watilde approved these changes

@Renegade334 Renegade334 Renegade334 approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

@gurgunday gurgunday gurgunday approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. http Issues or PRs related to the http subsystem. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.