fix: 🐛 request.url getter fails when using IPv6 and HTTP2 [#4560] #4559
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gsoldevila
force-pushed
the
fix/4556-protect-invalid-ipv6-in-request-url
branch
from
3eb41e7 to
4f47a71
Compare
gsoldevila
changed the title
gsoldevila
changed the title
gsoldevila
commented
Nov 7, 2025
|
|
||
| const req = request.raw.req; | ||
| const host = req.headers.host ? req.headers.host.trim() : ''; | ||
| const host = (req.headers.host || req.headers[':authority'] || '').trim(); |
Author
There was a problem hiding this comment.
Perhaps we could test if the req is an IPv6 request somehow, and choose Host or :authority accordingly. WDYT?
Contributor
There was a problem hiding this comment.
Yes, that would be great and expect if we want this included. I've done some light digging and come up with the following to help this along:
https://github.com/hapijs/hapi/blob/master/lib/core.js#L334 listens for whatever host / address you pass it, you can set it to loopback :: to bind to ipv6
Test it using builtins that only request IPv6
const http = require('http');
const options = {
hostname: '::1', // The IPv6 loopback address of your local server
port: 3000,
path: '/',
method: 'GET',
family: 6 // Force IPv6
};
const req = http.request(options, (res) => {
console.log(`STATUS: ${res.statusCode}`);
res.setEncoding('utf8');
res.on('data', (chunk) => {
console.log(`BODY: ${chunk}`);
});
});
req.on('error', (e) => {
console.error(`problem with request: ${e.message}`);
});
req.end();
or alternatively, reuse some of the patterns in hapi tests: https://github.com/hapijs/hapi/blob/master/test/core.js#L925
The right place to add those tests would be https://github.com/hapijs/hapi/blob/master/test/core.js
Checkout some of the commentary around ipv6:
https://github.com/hapijs/hapi/blob/master/test/core.js#L102
https://github.com/hapijs/hapi/blob/master/test/core.js#L711
Seems like there's no explicit ipv6 tests, and they would need to be done only if the host machine has ipv6 enabled to prevent false positives.
Hope this helps!
This was referenced Nov 7, 2025
gsoldevila
added a commit
to elastic/kibana
that referenced
this pull request
Nov 11, 2025
…#242241) ## Summary Workarounds #236380 The official way to address this is with the following issue + PR on hapijs/hapi side: * hapijs/hapi#4560 * hapijs/hapi#4559 Until then, we can inject the Host information that Hapi relies on when it builds the `url` string.
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 11, 2025
…elastic#242241) ## Summary Workarounds elastic#236380 The official way to address this is with the following issue + PR on hapijs/hapi side: * hapijs/hapi#4560 * hapijs/hapi#4559 Until then, we can inject the Host information that Hapi relies on when it builds the `url` string. (cherry picked from commit 0d41ec2)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 11, 2025
…elastic#242241) ## Summary Workarounds elastic#236380 The official way to address this is with the following issue + PR on hapijs/hapi side: * hapijs/hapi#4560 * hapijs/hapi#4559 Until then, we can inject the Host information that Hapi relies on when it builds the `url` string. (cherry picked from commit 0d41ec2)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 11, 2025
…elastic#242241) ## Summary Workarounds elastic#236380 The official way to address this is with the following issue + PR on hapijs/hapi side: * hapijs/hapi#4560 * hapijs/hapi#4559 Until then, we can inject the Host information that Hapi relies on when it builds the `url` string. (cherry picked from commit 0d41ec2)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 11, 2025
…elastic#242241) ## Summary Workarounds elastic#236380 The official way to address this is with the following issue + PR on hapijs/hapi side: * hapijs/hapi#4560 * hapijs/hapi#4559 Until then, we can inject the Host information that Hapi relies on when it builds the `url` string. (cherry picked from commit 0d41ec2)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #4560
Problem
In HTTP2 the
Host:header is no longer present. According to the spec:Host:header.Host:header is missing, so the request.url getter) uses thehost:portfrom the _core.info.::1), the getter ends up building an invalid URL, as the host name is not surrounded by square brackets. An IPv6 address like2001:db8::1:8080would be ambiguous, as8080could be interpreted as the last segment of the IP address rather than the port.Solution
The PR updates the request logic in 2 places:
:authorityifHostheader is NOT present.::1) in square brackets[::1].