http: make req.headers have a null prototype

mcollina · web-flow · commit 21436f04057b · 2026-04-25T09:28:53.000Z
Makes IncomingMessage.prototype.headers and trailers have a null prototype, matching the existing behavior of headersDistinct and trailersDistinct. Fixes prototype pollution concerns where headers like __proto__ could be interpreted as prototype manipulation. Refs: #61771 PR-URL: #62900 Reviewed-By: Jordan Harband <ljharb@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
diff --git a/doc/api/http.md b/doc/api/http.md
@@ -2864,6 +2864,9 @@ The request/response headers object.
 
 Key-value pairs of header names and values. Header names are lower-cased.
 
+The object has a null prototype and should not be accessed using the `in`
+operator.
+
 ```js
 // Prints something like:
 //
@@ -2901,6 +2904,9 @@ added:
 Similar to [`message.headers`][], but there is no join logic and the values are
 always arrays of strings, even for headers received just once.
 
+The object has a null prototype and should not be accessed using the `in`
+operator.
+
 ```js
 // Prints something like:
 //
@@ -3087,6 +3093,9 @@ added: v0.3.0
 
 The request/response trailers object. Only populated at the `'end'` event.
 
+The object has a null prototype and should not be accessed using the `in`
+operator.
+
 ### `message.trailersDistinct`
 
 <!-- YAML
@@ -3101,6 +3110,9 @@ Similar to [`message.trailers`][], but there is no join logic and the values are
 always arrays of strings, even for headers received just once.
 Only populated at the `'end'` event.
 
+The object has a null prototype and should not be accessed using the `in`
+operator.
+
 ### `message.url`
 
 <!-- YAML
diff --git a/doc/api/http2.md b/doc/api/http2.md
@@ -4120,6 +4120,9 @@ The request/response headers object.
 
 Key-value pairs of header names and values. Header names are lower-cased.
 
+The object has a null prototype and should not be accessed using the `in`
+operator.
+
 ```js
 // Prints something like:
 //
@@ -4279,6 +4282,9 @@ added: v8.4.0
 
 The request/response trailers object. Only populated at the `'end'` event.
 
+The object has a null prototype and should not be accessed using the `in`
+operator.
+
 #### `request.url`
 
 <!-- YAML
diff --git a/lib/_http_incoming.js b/lib/_http_incoming.js
@@ -112,7 +112,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'headers', {
   __proto__: null,
   get: function() {
     if (!this[kHeaders]) {
-      this[kHeaders] = {};
+      this[kHeaders] = { __proto__: null };
 
       const src = this.rawHeaders;
       const dst = this[kHeaders];
@@ -152,7 +152,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'trailers', {
   __proto__: null,
   get: function() {
     if (!this[kTrailers]) {
-      this[kTrailers] = {};
+      this[kTrailers] = { __proto__: null };
 
       const src = this.rawTrailers;
       const dst = this[kTrailers];
diff --git a/lib/internal/http2/compat.js b/lib/internal/http2/compat.js
@@ -319,7 +319,7 @@ class Http2ServerRequest extends Readable {
     // initialization using Object.create(null) in HTTP/2 is intentional.
     this[kHeaders] = headers;
     this[kRawHeaders] = rawHeaders;
-    this[kTrailers] = {};
+    this[kTrailers] = { __proto__: null };
     this[kRawTrailers] = [];
     this[kStream] = stream;
     this[kAborted] = false;
diff --git a/test/parallel/test-http-blank-header.js b/test/parallel/test-http-blank-header.js
@@ -28,11 +28,10 @@ const net = require('net');
 const server = http.createServer(common.mustCall((req, res) => {
   assert.strictEqual(req.method, 'GET');
   assert.strictEqual(req.url, '/blah');
-  assert.deepStrictEqual(req.headers, {
-    host: 'example.org:443',
-    origin: 'http://example.org',
-    cookie: ''
-  });
+  assert.deepStrictEqual(req.headers, { __proto__: null,
+                                        host: 'example.org:443',
+                                        origin: 'http://example.org',
+                                        cookie: '' });
 }));
 
 
diff --git a/test/parallel/test-http-client-headers-array.js b/test/parallel/test-http-client-headers-array.js
@@ -7,12 +7,11 @@ const http = require('http');
 
 function execute(options) {
   http.createServer(common.mustCall(function(req, res) {
-    const expectHeaders = {
-      'x-foo': 'boom',
-      'cookie': 'a=1; b=2; c=3',
-      'connection': 'keep-alive',
-      'host': 'example.com',
-    };
+    const expectHeaders = { '__proto__': null,
+                            'x-foo': 'boom',
+                            'cookie': 'a=1; b=2; c=3',
+                            'connection': 'keep-alive',
+                            'host': 'example.com' };
 
     // no Host header when you set headers an array
     if (!Array.isArray(options.headers)) {
diff --git a/test/parallel/test-http-content-length.js b/test/parallel/test-http-content-length.js
@@ -4,20 +4,17 @@ const assert = require('assert');
 const http = require('http');
 const Countdown = require('../common/countdown');
 
-const expectedHeadersMultipleWrites = {
-  'connection': 'keep-alive',
-  'transfer-encoding': 'chunked',
-};
+const expectedHeadersMultipleWrites = { '__proto__': null,
+                                        'connection': 'keep-alive',
+                                        'transfer-encoding': 'chunked' };
 
-const expectedHeadersEndWithData = {
-  'connection': 'keep-alive',
-  'content-length': String('hello world'.length),
-};
+const expectedHeadersEndWithData = { '__proto__': null,
+                                     'connection': 'keep-alive',
+                                     'content-length': String('hello world'.length) };
 
-const expectedHeadersEndNoData = {
-  'connection': 'keep-alive',
-  'content-length': '0',
-};
+const expectedHeadersEndNoData = { '__proto__': null,
+                                   'connection': 'keep-alive',
+                                   'content-length': '0' };
 
 
 const countdown = new Countdown(3, () => server.close());
@@ -62,7 +59,9 @@ server.listen(0, common.mustCall(function() {
   req.write('hello ');
   req.end('world');
   req.on('response', common.mustCall((res) => {
-    assert.deepStrictEqual(res.headers, { ...expectedHeadersMultipleWrites, 'keep-alive': 'timeout=1' });
+    assert.deepStrictEqual(res.headers, {
+      '__proto__': null, ...expectedHeadersMultipleWrites, 'keep-alive': 'timeout=1',
+    });
     res.resume();
   }));
 
@@ -74,7 +73,9 @@ server.listen(0, common.mustCall(function() {
   req.removeHeader('Date');
   req.end('hello world');
   req.on('response', common.mustCall((res) => {
-    assert.deepStrictEqual(res.headers, { ...expectedHeadersEndWithData, 'keep-alive': 'timeout=1' });
+    assert.deepStrictEqual(res.headers, {
+      '__proto__': null, ...expectedHeadersEndWithData, 'keep-alive': 'timeout=1',
+    });
     res.resume();
   }));
 
@@ -86,7 +87,7 @@ server.listen(0, common.mustCall(function() {
   req.removeHeader('Date');
   req.end();
   req.on('response', common.mustCall((res) => {
-    assert.deepStrictEqual(res.headers, { ...expectedHeadersEndNoData, 'keep-alive': 'timeout=1' });
+    assert.deepStrictEqual(res.headers, { '__proto__': null, ...expectedHeadersEndNoData, 'keep-alive': 'timeout=1' });
     res.resume();
   }));
 
diff --git a/test/parallel/test-http-multiple-headers.js b/test/parallel/test-http-multiple-headers.js
@@ -19,13 +19,12 @@ const server = createServer(
       'Host', host,
       'Transfer-Encoding', 'chunked',
     ]);
-    assert.deepStrictEqual(req.headers, {
-      'connection': 'close',
-      'x-req-a': 'eee, fff, ggg, hhh',
-      'x-req-b': 'iii; jjj; kkk; lll',
-      host,
-      'transfer-encoding': 'chunked'
-    });
+    assert.deepStrictEqual(req.headers, { '__proto__': null,
+                                          'connection': 'close',
+                                          'x-req-a': 'eee, fff, ggg, hhh',
+                                          'x-req-b': 'iii; jjj; kkk; lll',
+                                          host,
+                                          'transfer-encoding': 'chunked' });
     assert.deepStrictEqual(req.headersDistinct, Object.assign({ __proto__: null }, {
       'connection': ['close'],
       'x-req-a': ['eee', 'fff', 'ggg', 'hhh'],
@@ -41,7 +40,7 @@ const server = createServer(
         'X-req-Y', 'zzz; www',
       ]);
       assert.deepStrictEqual(
-        req.trailers, { 'x-req-x': 'xxx, yyy', 'x-req-y': 'zzz; www' }
+        req.trailers, { '__proto__': null, 'x-req-x': 'xxx, yyy', 'x-req-y': 'zzz; www' }
       );
       assert.deepStrictEqual(
         req.trailersDistinct,
@@ -124,14 +123,13 @@ server.listen(0, common.mustCall(() => {
       'x-res-d', 'JJJ; KKK; LLL',
       'Transfer-Encoding', 'chunked',
     ]);
-    assert.deepStrictEqual(res.headers, {
-      'x-res-a': 'AAA, BBB, CCC',
-      'x-res-b': 'DDD; EEE; FFF; GGG',
-      'connection': 'close',
-      'x-res-c': 'HHH, III',
-      'x-res-d': 'JJJ; KKK; LLL',
-      'transfer-encoding': 'chunked'
-    });
+    assert.deepStrictEqual(res.headers, { '__proto__': null,
+                                          'x-res-a': 'AAA, BBB, CCC',
+                                          'x-res-b': 'DDD; EEE; FFF; GGG',
+                                          'connection': 'close',
+                                          'x-res-c': 'HHH, III',
+                                          'x-res-d': 'JJJ; KKK; LLL',
+                                          'transfer-encoding': 'chunked' });
     assert.deepStrictEqual(res.headersDistinct, Object.assign({ __proto__: null }, {
       'x-res-a': [ 'AAA', 'BBB', 'CCC' ],
       'x-res-b': [ 'DDD; EEE; FFF; GGG' ],
@@ -149,7 +147,7 @@ server.listen(0, common.mustCall(() => {
       ]);
       assert.deepStrictEqual(
         res.trailers,
-        { 'x-res-x': 'XXX, YYY', 'x-res-y': 'ZZZ; WWW' }
+        { '__proto__': null, 'x-res-x': 'XXX, YYY', 'x-res-y': 'ZZZ; WWW' }
       );
       assert.deepStrictEqual(
         res.trailersDistinct,
diff --git a/test/parallel/test-http-raw-headers.js b/test/parallel/test-http-raw-headers.js
@@ -36,12 +36,11 @@ http.createServer(common.mustCall(function(req, res) {
     'Connection',
     'keep-alive',
   ];
-  const expectHeaders = {
-    'host': `localhost:${this.address().port}`,
-    'transfer-encoding': 'CHUNKED',
-    'x-bar': 'yoyoyo',
-    'connection': 'keep-alive'
-  };
+  const expectHeaders = { '__proto__': null,
+                          'host': `localhost:${this.address().port}`,
+                          'transfer-encoding': 'CHUNKED',
+                          'x-bar': 'yoyoyo',
+                          'connection': 'keep-alive' };
   const expectRawTrailers = [
     'x-bAr',
     'yOyOyOy',
@@ -52,7 +51,7 @@ http.createServer(common.mustCall(function(req, res) {
     'X-baR',
     'OyOyOyO',
   ];
-  const expectTrailers = { 'x-bar': 'yOyOyOy, OyOyOyO, yOyOyOy, OyOyOyO' };
+  const expectTrailers = { '__proto__': null, 'x-bar': 'yOyOyOy, OyOyOyO, yOyOyOy, OyOyOyO' };
 
   this.close();
 
@@ -98,13 +97,12 @@ http.createServer(common.mustCall(function(req, res) {
       'Transfer-Encoding',
       'chunked',
     ];
-    const expectHeaders = {
-      'keep-alive': 'timeout=1',
-      'trailer': 'x-foo',
-      'date': null,
-      'connection': 'keep-alive',
-      'transfer-encoding': 'chunked'
-    };
+    const expectHeaders = { '__proto__': null,
+                            'keep-alive': 'timeout=1',
+                            'trailer': 'x-foo',
+                            'date': null,
+                            'connection': 'keep-alive',
+                            'transfer-encoding': 'chunked' };
     res.rawHeaders[5] = null;
     res.headers.date = null;
     assert.deepStrictEqual(res.rawHeaders, expectRawHeaders);
@@ -120,7 +118,7 @@ http.createServer(common.mustCall(function(req, res) {
         'X-foO',
         'OxOxOxO',
       ];
-      const expectTrailers = { 'x-foo': 'xOxOxOx, OxOxOxO, xOxOxOx, OxOxOxO' };
+      const expectTrailers = { '__proto__': null, 'x-foo': 'xOxOxOx, OxOxOxO, xOxOxOx, OxOxOxO' };
 
       assert.deepStrictEqual(res.rawTrailers, expectRawTrailers);
       assert.deepStrictEqual(res.trailers, expectTrailers);
diff --git a/test/parallel/test-http-remove-header-stays-removed.js b/test/parallel/test-http-remove-header-stays-removed.js
@@ -50,7 +50,7 @@ const server = http.createServer(common.mustCall(function(request, response) {
 server.listen(0, common.mustCall(function() {
   http.get({ port: this.address().port }, common.mustCall((res) => {
     assert.strictEqual(res.statusCode, 200);
-    assert.deepStrictEqual(res.headers, { date: 'coffee o clock' });
+    assert.deepStrictEqual(res.headers, { __proto__: null, date: 'coffee o clock' });
 
     let response = '';
     res.setEncoding('ascii');
diff --git a/test/parallel/test-http-server-headers-null-proto.js b/test/parallel/test-http-server-headers-null-proto.js
diff --git a/test/parallel/test-http-upgrade-agent.js b/test/parallel/test-http-upgrade-agent.js
diff --git a/test/parallel/test-http-upgrade-client.js b/test/parallel/test-http-upgrade-client.js
diff --git a/test/parallel/test-http-upgrade-server-with-body-and-extras.mjs b/test/parallel/test-http-upgrade-server-with-body-and-extras.mjs
diff --git a/test/parallel/test-http2-compat-serverrequest-trailers.js b/test/parallel/test-http2-compat-serverrequest-trailers.js
