Fix minor DoS attack on long headers or uris.

[remy]

Replaces #170

This PR, which is really just this commit fixes the DoS attack that was merged into 4.x code, but applies it to the 3.x code.

This seemed important specifically because request relies on [email protected] and have said they're not ready to drop node < 4 support (which would come via hawk@4).

So this patch will offer a 3.1.x version that has the vuln fixed, which should allow request to update their dependencies.

This particular patch was generated for Snyk users, but we'd rather see users be able to do updates over patches in their remediation.

I hope this patch will be considered and merge (for release to 3.1.3). Thanks!

[remy]

Note: the linting errors were failing at the checkout point of 66dd8f9 - which is why the build is failing. I've only focused the changes on the vulnerability patch, and happy to take advice to get the build fully passing (or if you're happy to go without the linting checks?).

[hueniverse]

You need to also port the tests.

[remy]

By "port the tests" what exactly are you referring to? The failing lint that was inherited from the previous commit (which is why the test is failing) or something else?

[gergoerdosi]

The tests from this commit ("errors on uri too long", "errors on header too long", etc): 0833f99#diff-ad3c25167d0354b9b277e3ab6f375274R1000

[remy]

Perfect, will do.

[remy]

Extra tests included and coverage back to 100% (also cleaned up lib/client.js to fix linting fails).

[landau]

Thanks for the work, @remy @hueniverse !

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.