From e96750b09771410070b8a642ffbe975353af8cc4 Mon Sep 17 00:00:00 2001 From: Khafra Date: Mon, 9 Oct 2023 14:52:30 -0400 Subject: [PATCH] disallow setting host header in fetch disallow setting host header in fetch --- lib/fetch/index.js | 2 ++ test/fetch/issue-2318.js | 25 +++++++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 test/fetch/issue-2318.js diff --git a/lib/fetch/index.js b/lib/fetch/index.js index 1e50b5b11b3..8c98a646a0e 100644 --- a/lib/fetch/index.js +++ b/lib/fetch/index.js @@ -1406,6 +1406,8 @@ async function httpNetworkOrCacheFetch ( } } + httpRequest.headersList.delete('host') + // 20. If includeCredentials is true, then: if (includeCredentials) { // 1. If the user agent is not configured to block cookies for httpRequest diff --git a/test/fetch/issue-2318.js b/test/fetch/issue-2318.js new file mode 100644 index 00000000000..e4f610dc92f --- /dev/null +++ b/test/fetch/issue-2318.js @@ -0,0 +1,25 @@ +'use strict' + +const { test } = require('tap') +const { once } = require('events') +const { createServer } = require('http') +const { fetch } = require('../..') + +test('Undici overrides user-provided `Host` header', async (t) => { + t.plan(1) + + const server = createServer((req, res) => { + t.equal(req.headers.host, `localhost:${server.address().port}`) + + res.end() + }).listen(0) + + t.teardown(server.close.bind(server)) + await once(server, 'listening') + + await fetch(`http://localhost:${server.address().port}`, { + headers: { + host: 'www.idk.org' + } + }) +})