From 61d4afed05efdeb3faf3c3a3f31818163e9c3d79 Mon Sep 17 00:00:00 2001
From: Nicholas Clawson <nickclaw@gmail.com>
Date: Wed, 23 Nov 2016 11:23:26 -0800
Subject: [PATCH 1/2] Gracefully handle invalid status codes

---
 lib/response.js    | 25 +++++++++++++++----------
 test/res.status.js | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 10 deletions(-)

diff --git a/lib/response.js b/lib/response.js
index 6ab51223310..e0960e47944 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -56,8 +56,14 @@ var charsetRegExp = /;\s*charset\s*=/;
  * @public
  */
 
-res.status = function status(code) {
-  this.statusCode = code;
+res.status = function status(statusCode) {
+  // check that status code is valid
+  statusCode = parseInt(statusCode, 10);
+  if (Number.isNaN(statusCode) || statusCode < 100 || statusCode > 999) {
+    throw new TypeError('Invalid status code.');
+  }
+
+  this.statusCode = statusCode;
   return this;
 };
 
@@ -110,7 +116,7 @@ res.send = function send(body) {
   // support res.send(status, body)
   if (arguments.length === 2) {
     deprecate('res.send(status, body): Use res.status(status).send(body) instead');
-    this.statusCode = arguments[0];
+    this.status(arguments[0]);
     chunk = arguments[1];
   }
 
@@ -169,7 +175,7 @@ res.send = function send(body) {
   }
 
   // freshness
-  if (req.fresh) this.statusCode = 304;
+  if (req.fresh) this.status(304);
 
   // strip irrelevant headers
   if (204 === this.statusCode || 304 === this.statusCode) {
@@ -208,7 +214,7 @@ res.json = function json(obj) {
   // support res.json(status, obj)
   if (arguments.length === 2) {
     deprecate('res.json(status, obj): Use res.status(status).json(obj) instead');
-    this.statusCode = arguments[0];
+    this.status(arguments[0]);
     val = arguments[1];
   }
 
@@ -244,7 +250,7 @@ res.jsonp = function jsonp(obj) {
   // support res.jsonp(status, obj)
   if (arguments.length === 2) {
     deprecate('res.jsonp(status, obj): Use res.status(status).jsonp(obj) instead');
-    this.statusCode = arguments[0];
+    this.status(arguments[0]);
     val = arguments[1];
   }
 
@@ -304,11 +310,10 @@ res.jsonp = function jsonp(obj) {
  */
 
 res.sendStatus = function sendStatus(statusCode) {
-  var body = statusCodes[statusCode] || String(statusCode);
-
-  this.statusCode = statusCode;
+  this.status(statusCode);
   this.type('txt');
 
+  var body = statusCodes[statusCode] || String(statusCode);
   return this.send(body);
 };
 
@@ -788,7 +793,7 @@ res.redirect = function redirect(url) {
   });
 
   // Respond
-  this.statusCode = status;
+  this.status(status);
   this.set('Content-Length', Buffer.byteLength(body));
 
   if (this.req.method === 'HEAD') {
diff --git a/test/res.status.js b/test/res.status.js
index 8c173a645c5..83adefdf109 100644
--- a/test/res.status.js
+++ b/test/res.status.js
@@ -16,5 +16,41 @@ describe('res', function(){
       .expect('Created')
       .expect(201, done);
     })
+
+    it('should throw a TypeError if invalid', function(done){
+      var app = express();
+
+      app.use(function(req, res){
+        res.status(10000).end();
+      });
+
+      request(app)
+      .get('/')
+      .expect(500, /Invalid status code/, done);
+    })
+
+    it('should handle numeric strings', function(done) {
+      var app = express();
+
+      app.use(function(req, res){
+        res.status('400').end();
+      });
+
+      request(app)
+      .get('/')
+      .expect(400, done);
+    })
+
+    it('should handle floats as integers', function(done) {
+      var app = express();
+
+      app.use(function(req, res){
+        res.status(404.04).end();
+      });
+
+      request(app)
+      .get('/')
+      .expect(404, done);
+    })
   })
 })

From ae38ac6f805532b60bdc601135bd3da4e0b8a369 Mon Sep 17 00:00:00 2001
From: Nicholas Clawson <nickclaw@gmail.com>
Date: Sun, 27 Nov 2016 14:49:33 -0800
Subject: [PATCH 2/2] Ensure that statusCode is a number

---
 lib/response.js    |  3 +--
 test/res.status.js | 22 +++++-----------------
 2 files changed, 6 insertions(+), 19 deletions(-)

diff --git a/lib/response.js b/lib/response.js
index e0960e47944..244586e010e 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -58,8 +58,7 @@ var charsetRegExp = /;\s*charset\s*=/;
 
 res.status = function status(statusCode) {
   // check that status code is valid
-  statusCode = parseInt(statusCode, 10);
-  if (Number.isNaN(statusCode) || statusCode < 100 || statusCode > 999) {
+  if (typeof statusCode !== 'number' || statusCode < 100 || statusCode > 999) {
     throw new TypeError('Invalid status code.');
   }
 
diff --git a/test/res.status.js b/test/res.status.js
index 83adefdf109..215092724c5 100644
--- a/test/res.status.js
+++ b/test/res.status.js
@@ -17,11 +17,11 @@ describe('res', function(){
       .expect(201, done);
     })
 
-    it('should throw a TypeError if invalid', function(done){
+    it('should throw a TypeError if not a number', function(done) {
       var app = express();
 
       app.use(function(req, res){
-        res.status(10000).end();
+        res.status('foo').end();
       });
 
       request(app)
@@ -29,28 +29,16 @@ describe('res', function(){
       .expect(500, /Invalid status code/, done);
     })
 
-    it('should handle numeric strings', function(done) {
-      var app = express();
-
-      app.use(function(req, res){
-        res.status('400').end();
-      });
-
-      request(app)
-      .get('/')
-      .expect(400, done);
-    })
-
-    it('should handle floats as integers', function(done) {
+    it('should throw a TypeError if invalid number', function(done){
       var app = express();
 
       app.use(function(req, res){
-        res.status(404.04).end();
+        res.status(10000).end();
       });
 
       request(app)
       .get('/')
-      .expect(404, done);
+      .expect(500, /Invalid status code/, done);
     })
   })
 })