/**
 * CVE-2026-21710 — Vulnerable Node.js HTTP Server
 *
 * A flaw in Node.js HTTP request handling causes an uncaught TypeError when a
 * request contains a header named `__proto__` and the application accesses
 * req.headersDistinct.
 *
 * When iterating headers, dest["__proto__"] resolves to Object.prototype
 * (rather than undefined), so .push() is called on a non-array, throwing a
 * synchronous TypeError inside the getter that cannot be caught by `error`
 * event listeners.
 *
 * Affected: Node.js 20.x, 22.x, 24.x, 25.x
 *
 * Usage:
 *   node server.js           (start on port 3000)
 */

'use strict';

const http = require('http');

const PORT = 3000;

const server = http.createServer((req, res) => {
  console.log(`[+] Incoming request: ${req.method} ${req.url}`);

  // ---- VULNERABLE SINK ----
  // Accessing req.headersDistinct when a header named __proto__ is present
  // triggers prototype pollution of the internal accumulator object, causing
  //   TypeError: dest[name].push is not a function
  // to be thrown synchronously inside the getter.  The exception propagates
  // through the event loop and crashes the process.
  const distinct = req.headersDistinct;
  console.log('[+] headersDistinct:', distinct);

  res.writeHead(200, { 'Content-Type': 'text/plain' });
  res.end('OK\n');
});

server.on('error', (err) => {
  // This listener is NOT triggered for the TypeError above — the crash
  // bypasses the standard error-event pathway.
  console.error('[!] Server error (not triggered by CVE):', err);
});

server.listen(PORT, '127.0.0.1', () => {
  console.log(`[*] Vulnerable server listening on http://127.0.0.1:${PORT}`);
  console.log('[*] Send a normal request first, then run poc.js');
});