http2: omit server name when HTTP2 host is IP address

islandryu · islandryu · commit ed64f1c5fdb2 · 2025-01-09T17:03:35.000+09:00
Fixes: nodejs#56189
diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
@@ -636,15 +636,21 @@ function initOriginSet(session) {
   if (originSet === undefined) {
     const socket = session[kSocket];
     session[kState].originSet = originSet = new SafeSet();
-    if (socket.servername != null) {
-      let originString = `https://${socket.servername}`;
-      if (socket.remotePort != null)
-        originString += `:${socket.remotePort}`;
-      // We have to ensure that it is a properly serialized
-      // ASCII origin string. The socket.servername might not
-      // be properly ASCII encoded.
-      originSet.add(getURLOrigin(originString));
+    let hostName = socket.servername;
+    if (hostName === null || hostName === false) {
+      if (socket.remoteFamily === 'IPv6') {
+        hostName = `[${socket.remoteAddress}]`;
+      } else {
+        hostName = socket.remoteAddress;
+      }
     }
+    let originString = `https://${hostName}`;
+    if (socket.remotePort != null)
+      originString += `:${socket.remotePort}`;
+    // We have to ensure that it is a properly serialized
+    // ASCII origin string. The socket.servername might not
+    // be properly ASCII encoded.
+    originSet.add(getURLOrigin(originString));
   }
   return originSet;
 }
@@ -3333,7 +3339,7 @@ function connect(authority, options, listener) {
         socket = net.connect({ port, host, ...options });
         break;
       case 'https:':
-        socket = tls.connect(port, host, initializeTLSOptions(options, host));
+        socket = tls.connect(port, host, initializeTLSOptions(options, net.isIP(host) ? undefined : host));
         break;
       default:
         throw new ERR_HTTP2_UNSUPPORTED_PROTOCOL(protocol);
diff --git a/test/parallel/test-http2-ip-address-host.js b/test/parallel/test-http2-ip-address-host.js
@@ -0,0 +1,59 @@
+'use strict';
+
+const common = require('../common'); if (!common.hasCrypto) { common.skip('missing crypto'); };
+const assert = require('assert');
+const fixtures = require('../common/fixtures');
+const h2 = require('http2');
+
+function loadKey(keyname) {
+  return fixtures.readKey(keyname, 'binary');
+}
+
+const key = loadKey('agent8-key.pem');
+const cert = fixtures.readKey('agent8-cert.pem');
+
+const server = h2.createSecureServer({ key, cert });
+server.on('stream', common.mustCall((stream) => {
+  const session = stream.session;
+  assert.strictEqual(session.servername, undefined);
+  stream.respond({ 'content-type': 'application/json' });
+  stream.end(JSON.stringify({
+    servername: session.servername,
+    originSet: session.originSet
+  })
+  );
+}, 2));
+server.on('close', common.mustCall());
+server.listen(0, common.mustCall(async () => {
+  await new Promise((resolve) => {
+    const client = h2.connect(`https://127.0.0.1:${server.address().port}`,
+                              { rejectUnauthorized: false });
+    const req = client.request();
+    let data = '';
+    req.setEncoding('utf8');
+    req.on('data', (d) => data += d);
+    req.on('end', common.mustCall(() => {
+      const originSet = req.session.originSet;
+      assert.strictEqual(originSet[0], `https://127.0.0.1:${server.address().port}`);
+      client.close();
+      resolve();
+    }));
+  });
+
+  await new Promise((resolve) => {
+    // Test with IPv6 address
+    const client = h2.connect(`https://[::1]:${server.address().port}`,
+                              { rejectUnauthorized: false });
+    const req = client.request();
+    let data = '';
+    req.setEncoding('utf8');
+    req.on('data', (d) => data += d);
+    req.on('end', common.mustCall(() => {
+      const originSet = req.session.originSet;
+      assert.strictEqual(originSet[0], `https://[::1]:${server.address().port}`);
+      client.close();
+      resolve();
+    }));
+  });
+  server.close();
+}));
