bug: TRPC may create an invalid URL that crashes the server

[ivan-kleshnin]

Provide environment information

Machine agnostic

Describe the bug

Some bots or spammers might send invalid requests with URLs like:

hotmail-com.olc.protection.outlook.com%3A25... 

We've met the above, and here's a 3rd party library showcasing the same signature: https://github.com/sbordeyne/fastapi_spammer_protection/blob/fd4a3982c23cd4ab0f4761c9db603994c06fa19c/fastapi_spammer_protection/vulnerable_urls.py#L174

We've got some auxiliary servers, with exposed IPs, crashed by bots. Our main servers work behing Nginx which prevents the above from happening.

Here's where it happens:

https://github.com/trpc/trpc/blob/next/packages/server/src/adapters/node-http/incomingMessageToRequest.ts#L70

const url = `http://${headers.get('host')}${req.url}`;

The above code is buggy because req.url might be invalid, in particular not starting with a slash! So ${headers.get('host')}${req.url} becomes
something malformed of {domain}{domain} shape.

It leads to a hard crash of the server – it does not just return 400 or 500 or something, but completely stops to accept new connections, basically goes offline❗Some of this behavior might be NodeJS specific, but the issue starts in TRPC code. Couldn't investigate in more details due to the lack of time.

Proposed Solution

Validate that req.url starts with /.

Link to reproduction

I don't have enough time to prepare a sandbox, sorry, maybe a bit later.
It looks like a TRPC bug to me.

To reproduce

Create a server with http-node adapter and send a GET/POST with an invalid URL. E.g.

$ printf 'GET hotmail-com.olc.protection.outlook.com HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 2000

If anything – I'll contribute a sandbox next week.

Additional information

Copied from:
#6091 (comment)

👨‍👧‍👦 Contributing

• 🙋‍♂️ Yes, I'd be down to file a PR fixing this bug!

[juliusmarminge]

tried your reproduction:

import { once } from 'node:events';
import * as Http from 'node:http';
import * as Net from 'node:net';

const host = 'localhost';
const port = 3000;

const server = Http.createServer()
  .on('request', (req, res) => {
    res.writeHead(200);
    res.end('Hello World\n');
  })
  .on('connection', () => {
    console.log('Server got connection');
  })
  .listen(port, () => console.log('Listening on port ' + port));
await once(server, 'listening');

// Create a socket connection
const client = Net.createConnection(port, host, () => {
  // Construct the HTTP request
  const request =
    'GET hotmail-com.olc.protection.outlook.com HTTP/1.1\r\n' +
    'Host: localhost\r\n' +
    '\r\n';

  // Send the request
  client.write(request);
})
  .on('connect', () => {
    console.log('Client connected to server');
  })
  .on('data', (data) => {
    console.log('Response from server:\n', data.toString());
    client.end(); // Close the connection after receiving the response
  })
  .on('error', (err) => {
    console.error('Connection error:', err);
  })
  .on('end', () => {
    console.log('Disconnected from server');
  });

Output:

Listening on port 3000
Client connected to server
Server got connection
Response from server:
 HTTP/1.1 400 Bad Request
Connection: close


Disconnected from server

[KATT]

I did a small test in 421186e too, I can't reproduce it either

trpc/test.sh

Lines 1 to 7 in 421186e

	printf 'response 1\n'
	printf 'GET hotmail-com.olc.protection.outlook.com HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 2022
	printf '\n\n\n'
	echo "response 2:"
	printf 'GET /helloWorld HTTP/1.1\r\nHost: localhost\r\n\r\n' | nc localhost 2022

Output:

response 1
HTTP/1.1 400 Bad Request
Connection: close




response 2:
HTTP/1.1 200 OK
content-type: application/json
vary: trpc-accept
Date: Thu, 10 Oct 2024 00:30:19 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Transfer-Encoding: chunked

21
{"result":{"data":"Hello World"}}
0

[KATT]

We may, however, have a dangling promise here that maybe could crash the server due to a unhandled promise rejection if a middleware or similar throws.... 🤔

createServer should receive a (req, res) => void, but is receiving a (req, res) => Promise<void>

trpc/packages/server/src/adapters/standalone.ts

Lines 51 to 52 in 421186e

	const handler = createHTTPHandler(opts);
	return http.createServer(handler);

trpc/packages/server/src/adapters/standalone.ts

Lines 31 to 32 in 421186e

	) {
	return async (req: http.IncomingMessage, res: http.ServerResponse) => {

Not sure if this may be related to your crash reports or not

[ivan-kleshnin]

Hi, folks. Thanks for exploring the issue.

@juliusmarminge what you've tested is a pure NodeJS / Bun, the error occurs in TRPC code.

We've tried a new version and the error is now in a different place, but still present: Update: not true, fixed since rc-571

We'll explore it more and prepare a sandbox, hopefully his weekend, so don't spend your time on this for now 🙏

[juliusmarminge]

@juliusmarminge what you've tested is a pure NodeJS / Bun, the error occurs in TRPC code.

Yea but it doesn't even reach the request handler, so it would error before any trpc code would run???

[ivan-kleshnin]

Yea but it doesn't even reach the request handler, so it would error before any trpc code would run?

Looks like Bun behaves differently. It doesn't check for invalid URL, being a less mature tool.
We've rechecked the issue in more details:

1. It was observable only in Bun.
2. It's fixed with the recent update.

Here's a repro sandbox:
https://github.com/scabbiaza/trpc-issue-6094

Fails in Bun with TRPC rc-566, rc-544 (and supposedly earlier). No issue in NodeJS.
Since rc-571 works fine in both Bun and NodeJS. @KATT's fixes did help 👍

Thank you for the quick reaction to this.

[github-actions]

This issue has been locked because we are very unlikely to see comments on closed issues. If you are running into a similar issue, please create a new issue. Thank you.