Skip to content

http: make req.headers have a null prototype#62900

Merged
nodejs-github-bot merged 3 commits intonodejs:mainfrom
mcollina:http-server-headers-null-proto
Apr 25, 2026
Merged

http: make req.headers have a null prototype#62900
nodejs-github-bot merged 3 commits intonodejs:mainfrom
mcollina:http-server-headers-null-proto

Conversation

@mcollina
Copy link
Copy Markdown
Member

@mcollina mcollina commented Apr 22, 2026

Make req.headers and req.trailers in http.createServer() have a null prototype, matching the existing behavior of headersDistinct and trailersDistinct. Also applies the same fix to HTTP/2 compatibility mode for req.trailers.

@mcollina
http: make req.headers have a null prototype
0a071d8 
Makes IncomingMessage.prototype.headers and trailers have a null
prototype, matching the existing behavior of headersDistinct and
trailersDistinct.

Fixes prototype pollution concerns where headers like __proto__
could be interpreted as prototype manipulation.

Refs: nodejs#61771

PR-URL: nodejs#61772
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 22, 2026

Review requested:

  • @nodejs/http
  • @nodejs/http2
  • @nodejs/net

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run. labels Apr 22, 2026
@mcollina mcollina added the semver-major PRs that contain breaking changes and should be released in the next major version. label Apr 22, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.63%. Comparing base (c3dd52a) to head (3a57b11).
⚠️ Report is 86 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62900      +/-   ##
==========================================
+ Coverage   89.61%   89.63%   +0.01%     
==========================================
  Files         706      706              
  Lines      219136   219203      +67     
  Branches    41981    41998      +17     
==========================================
+ Hits       196376   196478     +102     
+ Misses      14671    14618      -53     
- Partials     8089     8107      +18
Files with missing lines Coverage Δ
lib/_http_incoming.js 99.38% <100.00%> (ø)
lib/internal/http2/compat.js 96.93% <100.00%> (ø)

... and 71 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mcollina
http2/compat: make req.trailers have a null prototype
8c7c040 
In HTTP/2 compatibility mode, make request trailers have a null
prototype, matching the behavior of regular headers and trailers.
@mcollina mcollina force-pushed the http-server-headers-null-proto branch from fcc3070 to 8c7c040 Compare April 23, 2026 07:54
@panva panva added request-ci Add this label to start a Jenkins CI on a PR. author ready PRs that have at least one approval, no pending requests for changes, and a CI started. labels Apr 23, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 23, 2026
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 23, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/72887/

lpinca
lpinca reviewed Apr 23, 2026
View reviewed changes
Comment thread test/parallel/test-http-server-headers-null-proto.js
@mcollina mcollina force-pushed the http-server-headers-null-proto branch from b202d30 to 6e4f221 Compare April 23, 2026 14:32
@mcollina mcollina force-pushed the http-server-headers-null-proto branch from 6e4f221 to 3a57b11 Compare April 23, 2026 15:27
@mcollina mcollina added the request-ci Add this label to start a Jenkins CI on a PR. label Apr 23, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 23, 2026
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 23, 2026

CI: https://ci.nodejs.org/job/node-test-pull-request/72897/

@mcollina mcollina added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 24, 2026
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Apr 24, 2026
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 24, 2026

Commit Queue failed
- Loading data for nodejs/node/pull/62900
✔  Done loading data for nodejs/node/pull/62900
----------------------------------- PR info ------------------------------------
Title      http: make req.headers have a null prototype (#62900)
Author     Matteo Collina <matteo.collina@gmail.com> (@mcollina)
Branch     mcollina:http-server-headers-null-proto -> nodejs:main
Labels     http, semver-major, http2, author ready, needs-ci
Commits    3
 - http: make req.headers have a null prototype
 - http2/compat: make req.trailers have a null prototype
 - test: actually check req.trailers null prototype in http-server-heade…
Committers 1
 - Matteo Collina <hello@matteocollina.com>
PR-URL: https://github.com/nodejs/node/pull/62900
Reviewed-By: Jordan Harband <ljharb@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/62900
Reviewed-By: Jordan Harband <ljharb@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Wed, 22 Apr 2026 21:54:51 GMT
   ✔  Approvals: 9
   ✔  - Jordan Harband (@ljharb): https://github.com/nodejs/node/pull/62900#pullrequestreview-4158266135
   ✔  - Stephen Belanger (@Qard): https://github.com/nodejs/node/pull/62900#pullrequestreview-4159826483
   ✔  - Gürgün Dayıoğlu (@gurgunday): https://github.com/nodejs/node/pull/62900#pullrequestreview-4159918734
   ✔  - Tim Perry (@pimterry): https://github.com/nodejs/node/pull/62900#pullrequestreview-4161042392
   ✔  - Filip Skokan (@panva) (TSC): https://github.com/nodejs/node/pull/62900#pullrequestreview-4161690281
   ✔  - Daijiro Wachi (@watilde): https://github.com/nodejs/node/pull/62900#pullrequestreview-4161955983
   ✔  - René (@Renegade334): https://github.com/nodejs/node/pull/62900#pullrequestreview-4161978817
   ✔  - Luigi Pinca (@lpinca): https://github.com/nodejs/node/pull/62900#pullrequestreview-4163758697
   ✔  - Marco Ippolito (@marco-ippolito) (TSC): https://github.com/nodejs/node/pull/62900#pullrequestreview-4164814792
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2026-04-23T21:02:08Z: https://ci.nodejs.org/job/node-test-pull-request/72897/
- Querying data for job/node-test-pull-request/72897/
✔  Build data downloaded
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  No git cherry-pick in progress
   ✔  No git am in progress
   ✔  No git rebase in progress
--------------------------------------------------------------------------------
- Bringing origin/main up to date...
From https://github.com/nodejs/node
 * branch                  main       -> FETCH_HEAD
✔  origin/main is now up-to-date
- Downloading patch for 62900
From https://github.com/nodejs/node
 * branch                  refs/pull/62900/merge -> FETCH_HEAD
✔  Fetched commits as 24280308dc9d..3a57b11e2fd3
--------------------------------------------------------------------------------
[main bfd78aa23d] http: make req.headers have a null prototype
 Author: Matteo Collina <hello@matteocollina.com>
 Date: Tue Apr 21 10:44:34 2026 +0000
 11 files changed, 118 insertions(+), 22 deletions(-)
 create mode 100644 test/parallel/test-http-server-headers-null-proto.js
[main 63b779a8d6] http2/compat: make req.trailers have a null prototype
 Author: Matteo Collina <hello@matteocollina.com>
 Date: Wed Apr 22 06:15:02 2026 +0000
 10 files changed, 59 insertions(+), 61 deletions(-)
Auto-merging doc/api/http.md
[main 09115ad9ec] test: actually check req.trailers null prototype in http-server-headers-null-proto
 Author: Matteo Collina <hello@matteocollina.com>
 Date: Thu Apr 23 15:27:08 2026 +0000
 3 files changed, 28 insertions(+), 1 deletion(-)
   ✔  Patches applied
There are 3 commits in the PR. Attempting autorebase.
(node:356) [DEP0190] DeprecationWarning: Passing args to a child process with shell option true can lead to security vulnerabilities, as the arguments are not escaped, only concatenated.
(Use `node --trace-deprecation ...` to show where the warning was created)
Rebasing (2/6)
Executing: git node land --amend --yes
--------------------------------- New Message ----------------------------------
http: make req.headers have a null prototype

Makes IncomingMessage.prototype.headers and trailers have a null

prototype, matching the existing behavior of headersDistinct and

trailersDistinct.


Fixes prototype pollution concerns where headers like proto

could be interpreted as prototype manipulation.


Refs: #61771


PR-URL: #62900

Reviewed-By: Jordan Harband <ljharb@gmail.com>

Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>

Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>

Reviewed-By: Tim Perry <pimterry@gmail.com>

Reviewed-By: Filip Skokan <panva.ip@gmail.com>

Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>

Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>

Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>


[detached HEAD b8043b532c] http: make req.headers have a null prototype

Author: Matteo Collina <hello@matteocollina.com>

Date: Tue Apr 21 10:44:34 2026 +0000

11 files changed, 118 insertions(+), 22 deletions(-)

create mode 100644 test/parallel/test-http-server-headers-null-proto.js

Rebasing (3/6)

Rebasing (4/6)

Executing: git node land --amend --yes

--------------------------------- New Message ----------------------------------

http2/compat: make req.trailers have a null prototype


In HTTP/2 compatibility mode, make request trailers have a null

prototype, matching the behavior of regular headers and trailers.


PR-URL: #62900

Reviewed-By: Jordan Harband <ljharb@gmail.com>

Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>

Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>

Reviewed-By: Tim Perry <pimterry@gmail.com>

Reviewed-By: Filip Skokan <panva.ip@gmail.com>

Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>

Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>

Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>


[detached HEAD e223f2302b] http2/compat: make req.trailers have a null prototype

Author: Matteo Collina <hello@matteocollina.com>

Date: Wed Apr 22 06:15:02 2026 +0000

10 files changed, 59 insertions(+), 61 deletions(-)

Rebasing (5/6)

Rebasing (6/6)

Executing: git node land --amend --yes

--------------------------------- New Message ----------------------------------

test: actually check req.trailers null prototype in http-server-headers-null-proto


PR-URL: #62900

Reviewed-By: Jordan Harband <ljharb@gmail.com>

Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>

Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>

Reviewed-By: Tim Perry <pimterry@gmail.com>

Reviewed-By: Filip Skokan <panva.ip@gmail.com>

Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>

Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>

Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>


[detached HEAD 1fc08c6ed1] test: actually check req.trailers null prototype in http-server-headers-null-proto

Author: Matteo Collina <hello@matteocollina.com>

Date: Thu Apr 23 15:27:08 2026 +0000

3 files changed, 28 insertions(+), 1 deletion(-)

Successfully rebased and updated refs/heads/main.


ℹ  Add commit-queue-squash label to land the PR as one commit, or commit-queue-rebase to land as separate commits.
https://github.com/nodejs/node/actions/runs/24914037254

@mcollina mcollina added commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. labels Apr 25, 2026
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 25, 2026
@nodejs-github-bot nodejs-github-bot merged commit 21436f0 into nodejs:main Apr 25, 2026
87 checks passed
@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 25, 2026

Landed in 21436f0

@github-actions github-actions Bot mentioned this pull request Apr 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ljharb ljharb ljharb approved these changes

@Qard Qard Qard approved these changes

@panva panva panva approved these changes

@lpinca lpinca lpinca approved these changes

@pimterry pimterry pimterry approved these changes

@watilde watilde watilde approved these changes

@Renegade334 Renegade334 Renegade334 approved these changes

@marco-ippolito marco-ippolito marco-ippolito approved these changes

@gurgunday gurgunday gurgunday approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. http Issues or PRs related to the http subsystem. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.