Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Improve request Content-Type checks #1103
This PR contains two changes to request Content-Type header checking:
Changed: 920420 improve policy checks
Rule 920420 omitted to check the mime-type in the Content-Type request header in case of GET, HEAD, PROPFIND or OPTIONS requests.
These types of requests should not have a Content-Type header, since they have no body, but that is no reason to not check the mime-type, if one should be submitted.
Note that this rule only works on properly formatted Content-Type headers, from which a mime-type can be parsed.
Added: 920470 whitelist header format
Since rule 920420 only works on well-behaved Content-Type headers, I've inserted a new rule above it, which first validates Content-Type against a regular expression.
This provides generic whitelist protection against vulnerabilities like Apache Struts Content-Type arbitrary command execution (CVE-2017-5638), which uses a Content-Type header like:
For the Struts vuln, we have blacklisting in the 944xxx rules, but I feel the Content-Type header is a good candidate for whitelisting in addition to this.
The rule might be a little pedantic, but I've tried to be flexible towards possible practical uses. I've tested it out on some traffic. But it's possible that we'll discover from testing that we need to be a little more lax.
This is a very useful addition. We ought to test this some more (no time this morning here, though).
Being in a pedantic mood, I do not like the introduction of in-between id numbers like xxxx25. The rules are related, but we do not mirror this unless they are strict siblings which is not the case here.
We're not really working on this. @lifeforms stated he would rather merge this and do additional changes separately. So this is only waiting for some more testing.
I have ran a few additional tests triggering 920470, 920420 and activating 900220. This looks good. Ready to be merged (and already assigned to you @csanders-git; so I let you do the merge).
referenced this pull request
Jul 10, 2018
Note that 920* tests are not run yet by Travis, however the tests run well here: