fix(ec2-metadata-service): discard response body stream on failed request (#7543)

kuhe · siddsriv · web-flow · commit 2dc10c6fef69 · 2025-12-05T11:47:37.000-05:00
* fix(ec2-metadata-service): discard response body stream on failed request

* test(ec2-metadata-service): add unit test/socket leak checks

* test(ec2-metadata-service): declaration merging for Node util to get resources

---------

Co-authored-by: Siddharth Srivastava &lt;sidddsri@amazon.com&gt;
diff --git a/packages/ec2-metadata-service/src/MetadataService.spec.ts b/packages/ec2-metadata-service/src/MetadataService.spec.ts
@@ -0,0 +1,255 @@
+import { NodeHttpHandler } from "@smithy/node-http-handler";
+import { Readable } from "stream";
+import { beforeEach, describe, expect, test as it, vi } from "vitest";
+
+import { MetadataService } from "./MetadataService";
+
+// Type declaration (declaration merging) for process.getActiveResourcesInfo()
+declare global {
+  namespace NodeJS {
+    interface Process {
+      getActiveResourcesInfo(): string[];
+    }
+  }
+}
+
+vi.mock("@smithy/node-http-handler");
+
+// gh#7538
+describe("MetadataService Socket Leak Checks", () => {
+  let metadataService: MetadataService;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    metadataService = new MetadataService({
+      endpoint: "http://169.254.169.254",
+      httpOptions: { timeout: 1000 },
+    });
+  });
+
+  const createMockResponse = (statusCode: number, body: string) => {
+    const stream = Readable.from([body]);
+    return {
+      response: {
+        statusCode,
+        body: stream,
+        headers: {},
+      },
+    };
+  };
+
+  describe("fetchMetadataToken - body consumption checks", () => {
+    it("should consume response body on 200 status and return token", async () => {
+      const mockToken = "test-token-123";
+      const mockResponse = createMockResponse(200, mockToken);
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      const token = await metadataService.fetchMetadataToken();
+
+      expect(token).toBe(mockToken);
+      expect(mockResponse.response.body.readableEnded).toBe(true);
+    });
+
+    it("should consume response body on 400 status before throwing", async () => {
+      const mockResponse = createMockResponse(400, "Bad Request");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      await expect(metadataService.fetchMetadataToken()).rejects.toThrow(
+        "Failed to fetch metadata token with status code 400"
+      );
+
+      expect(mockResponse.response.body.readableEnded).toBe(true);
+    });
+
+    it("should consume response body on 500 status before throwing", async () => {
+      const mockResponse = createMockResponse(500, "Server Error");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      await expect(metadataService.fetchMetadataToken()).rejects.toThrow(
+        "Failed to fetch metadata token with status code 500"
+      );
+
+      expect(mockResponse.response.body.readableEnded).toBe(true);
+    });
+
+    it("should include statusCode in error object for non-200 responses", async () => {
+      const mockResponse = createMockResponse(400, "Bad Request");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      try {
+        await metadataService.fetchMetadataToken();
+        expect.fail("Should have thrown an error");
+      } catch (error: any) {
+        expect(error.message).toContain("400");
+        expect(error.message).toContain("Failed to fetch metadata token");
+      }
+    });
+  });
+
+  describe("fetchMetadataToken - error handling", () => {
+    it("should set disableFetchToken on 403 error", async () => {
+      const mockResponse = createMockResponse(403, "Forbidden");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      await expect(metadataService.fetchMetadataToken()).rejects.toThrow("[disableFetchToken] is now set to true");
+
+      expect((metadataService as any).disableFetchToken).toBe(true);
+    });
+
+    it("should set disableFetchToken on 404 error", async () => {
+      const mockResponse = createMockResponse(404, "Not Found");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      await expect(metadataService.fetchMetadataToken()).rejects.toThrow("[disableFetchToken] is now set to true");
+
+      expect((metadataService as any).disableFetchToken).toBe(true);
+    });
+
+    it("should set disableFetchToken on 405 error", async () => {
+      const mockResponse = createMockResponse(405, "Method Not Allowed");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      await expect(metadataService.fetchMetadataToken()).rejects.toThrow("[disableFetchToken] is now set to true");
+
+      expect((metadataService as any).disableFetchToken).toBe(true);
+    });
+
+    it("should set disableFetchToken on TimeoutError", async () => {
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockRejectedValue({ message: "TimeoutError" }),
+          } as any)
+      );
+
+      await expect(metadataService.fetchMetadataToken()).rejects.toThrow("[disableFetchToken] is now set to true");
+
+      expect((metadataService as any).disableFetchToken).toBe(true);
+    });
+
+    it("should NOT set disableFetchToken on 400 error", async () => {
+      const mockResponse = createMockResponse(400, "Bad Request");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      await expect(metadataService.fetchMetadataToken()).rejects.toThrow();
+
+      expect((metadataService as any).disableFetchToken).toBe(false);
+    });
+  });
+
+  describe("socket cleanup verification", () => {
+    it("should not leave open handles after 400 response", async () => {
+      const initialResources = process.getActiveResourcesInfo();
+      const mockResponse = createMockResponse(400, "Bad Request");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      try {
+        await metadataService.fetchMetadataToken();
+      } catch {
+        // expected to throw
+      }
+      // allowing event loop to finish processing (test could be flaky otherwise if socket isn't closed because it remained scheduled in the event loop here)
+      await new Promise((resolve) => setImmediate(resolve));
+
+      const finalResources = process.getActiveResourcesInfo();
+      const socketCount = (resources: string[]) =>
+        resources.filter((r) => r.includes("Socket") || r.includes("TCP")).length;
+      expect(socketCount(finalResources)).toBeLessThanOrEqual(socketCount(initialResources));
+    });
+
+    it("should not leave open handles after successful 200 response", async () => {
+      const initialResources = process.getActiveResourcesInfo();
+      const mockResponse = createMockResponse(200, "test-token");
+
+      vi.mocked(NodeHttpHandler).mockImplementation(
+        () =>
+          ({
+            handle: vi.fn().mockResolvedValue(mockResponse),
+          } as any)
+      );
+
+      await metadataService.fetchMetadataToken();
+
+      await new Promise((resolve) => setImmediate(resolve));
+
+      const finalResources = process.getActiveResourcesInfo();
+      const socketCount = (resources: string[]) =>
+        resources.filter((r) => r.includes("Socket") || r.includes("TCP")).length;
+      expect(socketCount(finalResources)).toBeLessThanOrEqual(socketCount(initialResources));
+    });
+  });
+
+  describe("throwOnRequestTimeout flag", () => {
+    it("should pass throwOnRequestTimeout: true to NodeHttpHandler", async () => {
+      const mockResponse = createMockResponse(200, "test-token");
+      const mockHandle = vi.fn().mockResolvedValue(mockResponse);
+
+      vi.mocked(NodeHttpHandler).mockImplementation((config: any) => {
+        expect(config.throwOnRequestTimeout).toBe(true);
+        return { handle: mockHandle } as any;
+      });
+
+      await metadataService.fetchMetadataToken();
+
+      expect(NodeHttpHandler).toHaveBeenCalledWith(
+        expect.objectContaining({
+          throwOnRequestTimeout: true,
+        })
+      );
+    });
+  });
+});
diff --git a/packages/ec2-metadata-service/src/MetadataService.ts b/packages/ec2-metadata-service/src/MetadataService.ts
@@ -13,6 +13,7 @@ import { MetadataServiceOptions } from "./MetadataServiceOptions";
 export class MetadataService {
   private disableFetchToken: boolean;
   private config: Promise<MetadataServiceOptions>;
+
   /**
    * Creates a new MetadataService object with a given set of options.
    */
@@ -35,6 +36,7 @@ export class MetadataService {
     const { endpoint, ec2MetadataV1Disabled, httpOptions } = await this.config;
     const handler = new NodeHttpHandler({
       requestTimeout: httpOptions?.timeout,
+      throwOnRequestTimeout: true,
       connectionTimeout: httpOptions?.timeout,
     });
     const endpointUrl = new URL(endpoint!);
@@ -88,6 +90,7 @@ export class MetadataService {
     const { endpoint, httpOptions } = await this.config;
     const handler = new NodeHttpHandler({
       requestTimeout: httpOptions?.timeout,
+      throwOnRequestTimeout: true,
       connectionTimeout: httpOptions?.timeout,
     });
     const endpointUrl = new URL(endpoint!);
@@ -102,18 +105,23 @@ export class MetadataService {
     });
     try {
       const { response } = await handler.handle(tokenRequest, {} as HttpHandlerOptions);
-      if (response.statusCode === 200 && response.body) {
-        // handle response.body as a stream
-        return sdkStreamMixin(response.body).transformToString();
+
+      let bodyString = "";
+      if (response.body) {
+        bodyString = await sdkStreamMixin(response.body).transformToString();
+      }
+
+      if (response.statusCode === 200 && bodyString) {
+        return bodyString;
       } else {
-        throw new Error(`Failed to fetch metadata token with status code ${response.statusCode}`);
+        throw Object.assign(new Error(`Failed to fetch metadata token with status code ${response.statusCode}`), {
+          statusCode: response.statusCode,
+        });
       }
     } catch (error) {
-      if (error?.statusCode === 400) {
-        throw new Error(`Error fetching metadata token: ${error}`);
-      } else if (error.message === "TimeoutError" || [403, 404, 405].includes(error.statusCode)) {
+      if (error.message === "TimeoutError" || [403, 404, 405].includes(error.statusCode)) {
         this.disableFetchToken = true; // as per JSv2 and fromInstanceMetadata implementations
-        throw new Error(`Error fetching metadata token: ${error}. disableFetchToken is enabled`);
+        throw new Error(`Error fetching metadata token: ${error}. [disableFetchToken] is now set to true.`);
       }
       throw new Error(`Error fetching metadata token: ${error}`);
     }
