https: disallow boolean types for key and cert options

[jimmycann]

This is my first PR on the Node repository, your feedback is greatly appreciated.

When using https.createServer, passing boolean values for key and cert properties in the options object parameter doesn't throw an error an could lead to potential issues if they're accidentally passed.

This PR aims to throw a reasonable error if a boolean was passed to either of those properties.

Fixes: #12802

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• commit message follows commit guidelines

Affected core subsystem(s)

https

[addaleax]

By the way, we try to migrate to a new error system that allows for more flexibility in the future, it would be cool if you think you could take a look at using that.

[addaleax]

We don’t need the copyright header for new files.

[refack]

Hello @yjimk and welcome. Thank you very much for you contribution 🥇.
You've chosen an interesting case... While your change is correct, it checks for a very specific scenario so I'll give you a few of my observations:

1. I just followed the the documentation and found that some of the options passed to https.createServer are then passed to tls.createSecureContext, so it's probably a better place to put the validation.

   node/lib/_tls_common.js

   Lines 84 to 107 in 262d4b2

   	if (options.cert) {
   	if (Array.isArray(options.cert)) {
   	for (i = 0; i < options.cert.length; i++)
   	c.context.setCert(options.cert[i]);
   	} else {
   	c.context.setCert(options.cert);
   	}
   	}
   	// NOTE: It is important to set the key after the cert.
   	// `ssl_set_pkey` returns `0` when the key does not match the cert, but
   	// `ssl_set_cert` returns `1` and nullifies the key in the SSL structure
   	// which leads to the crash later on.
   	if (options.key) {
   	if (Array.isArray(options.key)) {
   	for (i = 0; i < options.key.length; i++) {
   	const key = options.key[i];
   	const passphrase = key.passphrase || options.passphrase;
   	c.context.setKey(key.pem || key, passphrase);
   	}
   	} else {
   	c.context.setKey(options.key, options.passphrase);
   	}
   	}

2. The documentation state that cert and key can be <string> | <string[]> | <Buffer> | <Buffer[]> | <Object[]> so it is probably better to assert that the option is one of those type, rather than trying to exclude everything else.
3. We are migration from using simply throw new Error() to a more structured error mechanism that includes an error code like -

   node/lib/path.js

   Line 28 in 262d4b2

   throw new errors.TypeError('ERR_INVALID_ARG_TYPE', 'path', 'string');

   
   the full guide is in https://github.com/nodejs/node/blob/master/doc/guides/using-internal-errors.md

[Trott]

Hi @yjimk! Welcome and thanks for the PR! I left a few comments with requested changes. Thanks again!

[Trott]

Line 41 guarantee that opts is an object so there is no need to check opts here or in line 46.

[Trott]

I don't think checking against all invalid values is the way to go. I think it should confirm it is a valid value and reject everything else.

[Trott]

These regular expressions would be better if they matched the entire message (that is, if they started with ^ and ended with $).

[Trott]

This and the other Error should be a TypeError.

[cjihrig]

LGTM with some cleanup.

[cjihrig]

You can reduce code duplication a lot here. All of these assert.throws() calls are essentially the same, with only the value of key, cert, and the regular expression changing. You can do something like this instead:

const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`);
const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`);
const invalidKeyRE = /^"options\.key" must not be a boolean$/;
const invalidCertRE = /^"options\.cert" must not be a boolean$/;

[
  [true, cert, invalidKeyRE],
  // Fill in other cases here
].forEach((params) => {
  assert.throws(() => {
    https.createServer({
      key: params[0],
      cert: params[1]
    });
  }, params[2]);
});

[silverwind]

I agree with @Trott, better verify for validity instead of checking single invalid values like booleans (e.g. whitelist over blacklist approach).

Also, I think the checks should also be done on tls.createServer and tls.createSecureContext, so I'd say the change should be done in the lowest level possible, which is tls.createSecureContext.

[jimmycann]

Thank you all for the super helpful and detailed feedback! I'll make those changes and see if I can get closer.

comments addressed, thanks

[jimmycann]

I believe I might have addressed all of the comments left with my latest commit. The new code is a bit of a departure from the old, so I hope it is OK and would appreciate any tips.

Particularly worried about using that function validateKeyCert from a naming perspective and also whether it conforms to the right method for type checking.

There are a few other things in that file that I noticed are a different style compared to other parts of the code, such as usage of for loops and var over let and const.

Thanks again for your great feedback and comments, it's been a fantastic learning experience.

[addaleax]

I think this is too strict, and instanceof Buffer is not a foolproof way to check for Buffers. Can you use ArrayBuffer.isView(value) instead and adjust the message accordingly (Buffers are just special Uint8Arrays, but all Uint8Arrays and other ArrayBufferViews should work, I think.).

[jimmycann]

Ah, brilliant! Replacing the two check works perfectly. I'll change this over and add some additional tests.

Regarding the new error message, it is currently ['string', 'buffer'] and I'm thinking it should change to ['string', 'ArrayBuffer'] with perhaps string => String. Would you have an opinion on how that should look?

[addaleax]

I don’t think we can list ArrayBuffer, as those are not ArrayBufferViews themselves.

Maybe ['string', 'Buffer', 'TypedArray', 'DataView']? That would match the message here:

node/lib/zlib.js

Line 231 in cde272a

'Invalid dictionary: it should be a Buffer, TypedArray, or DataView');

[jimmycann]

Perfect! Thank you, I'll create a commit for this change.

outdated

[jasnell]

There's been some recent work to simplify fixtures access...

example...

const fixtures = require('../common/fixtures');

const keyBuff = fixtures.readKey('agent1-key.pem');

[jimmycann]

Ah OK, cool. Thanks, I'll change that over too. The original test file was copied over from another and amended, hence the previous inclusion of the license comments and usage of the fs.readFileSync method of including the pem files. Is there are issue/task that you're aware of to update the older tests to use the newer methods? Something like that I feel like would be a useful task for me to take up in future.

[fl0w]

Since this PR relates to #12802 which is marked as "good first contribution", I'm going to ask a question (as I also intended on grabbing this). If this is inappropriate, delete my question and I'll take it to IRC or SO

From e92e64a extended commit message:

Arrays are now iterated using map instead of for for affected sections

What's the benefit of changing the loop type? I can't seem to find related review comment that (probably) requested the change.

[jimmycann]

RE: @fl0w, mostly due to personal preference toward map and other functional programming methods rather than for or forEach loops.

This tweet (although it mentions forEach instead of for) is the basis for my way of thinking.

https://twitter.com/_ericelliott/status/710571765844615168

I'd love to hear the fors and againsts on it though

...sorry

[jimmycann]

I've changed the type checking for buffer, but my knowledge of ArrayBuffers and DataViews is pretty limited.

[silverwind]

This map can be changed to a forEach because you're not using the return value.

[silverwind]

Same here.

[silverwind]

And here.

[silverwind]

Few nits, overall LGTM.

[silverwind]

RE: @fl0w, mostly due to personal preference toward map and other functional programming methods rather than for or forEach loops.

Sorry, just saw your comment after review. I personally see no benefit of using map over forEach if you're not going to return something/use the return value.

Node.js uses for a lot because as far as we know, it is still considerably faster than the prototype methods, thought that might have changed with TurboFan.

[jimmycann]

No problem, I'll change it over to use the forEach method. :)

[jasnell]

thought that might have changed with TurboFan

It does not appear to have changed by much.

[BridgeAR]

Landed in a7dccd0