Prevent the serialization of header containing a line terminator #3717

gontard · 2021-01-04T14:03:57Z

akka-http should throw an Exception when an header value containing a line terminator (LF) is sent in a response

For example

package com.example

import akka.actor.typed.ActorSystem
import akka.actor.typed.scaladsl.Behaviors
import akka.http.scaladsl.Http
import akka.http.scaladsl.model._
import akka.http.scaladsl.model.headers.{ModeledCustomHeader, ModeledCustomHeaderCompanion}
import akka.http.scaladsl.server.Directives._

import scala.util.Try

object HttpServerRoutingMinimal {
  def main(args: Array[String]): Unit = {
    implicit val system = ActorSystem(Behaviors.empty, "my-system")
    implicit val executionContext = system.executionContext
    val route =
      path("hello") {
        get {
          complete(StatusCodes.OK, Seq[HttpHeader](
            MyHeader("abc\ndef")
          ), "<h1>Say hello to akka-http</h1>")
        }
      }

    Http().newServerAt("localhost", 8080).bind(route)
  }

  final class MyHeader(token: String) extends ModeledCustomHeader[MyHeader] {
    override def renderInRequests = true
    override def renderInResponses = true
    override val companion = MyHeader
    override def value: String = token
  }
  object MyHeader extends ModeledCustomHeaderCompanion[MyHeader] {
    override val name = "my-header"
    override def parse(value: String) = Try(new MyHeader(value))
  }
}

We spotted this issue because our envoy reverse proxy complains of an Invalid HTTP header field was received.

The text was updated successfully, but these errors were encountered:

jrudolph · 2021-02-01T13:57:56Z

Good point, thanks for reporting (and sorry for the delay), @gontard.

I don't have a good idea how to check this cheaply. I don't think we want that check for our own modeled headers. It would certainly make sense for RawHeader but not sure where to put this for more generic user-defined modeled headers. Any ideas?

gontard · 2021-02-04T10:35:54Z

Thanks for your answer.

I don't think we want that check for our own modeled headers

Is it a performance concern?

Any ideas?

IDK the akka-http internals, but naively i would check that systematically.

nitikagarw · 2021-02-05T17:15:22Z

Hi @jrudolph,
How about adding the check here and here?

jrudolph · 2021-02-15T15:54:51Z

How about adding the check here and here?

It should go into the constructor of ModeledCustomHeader (instead of its companion). We can put a verification method into object HttpHeader to call from the constructors.

nitikagarw · 2021-02-20T10:15:54Z

Hi @jrudolph, I have created a PR #3763 to discuss the fix.

Refs akka#3717 To avoid accidental response splitting when applications put unsanitized request data into outgoing responses. We previously discussed introducing a check in the header models which could avoid overhead during rendering. There are a lot of header models, however, which all had to be checked one by one for potential issues. This would require a significant effort now to check all the existing headers and would also make it easy to reintroduce problems later on when headers are added or changed. The approach here requires that all headers are rendered using the new overload of `Rendering.~~`. When that method is used, we render the header and check afterwards that the rendered data does not contain any CR or LF characters. The performance overhead seems negligible, the new method did not turn up in profiling. An explanation why going over the rendered header data directly after it has been rendered is so cheap could be that - it has good locality because the data has just been written - it has good branch prediction because test will almost never fail - even if it has linear cost for big headers, those big headers will also have significant memory allocation cost which might dwarf the extra checking

Refs #3717 To avoid accidental response splitting when applications put unsanitized request data into outgoing responses. We previously discussed introducing a check in the header models which could avoid overhead during rendering. There are a lot of header models, however, which all had to be checked one by one for potential issues. This would require a significant effort now to check all the existing headers and would also make it easy to reintroduce problems later on when headers are added or changed. The approach here requires that all headers are rendered using the new overload of `Rendering.~~`. When that method is used, we render the header and check afterwards that the rendered data does not contain any CR or LF characters. The performance overhead seems negligible, the new method did not turn up in profiling. An explanation why going over the rendered header data directly after it has been rendered is so cheap could be that - it has good locality because the data has just been written - it has good branch prediction because test will almost never fail - even if it has linear cost for big headers, those big headers will also have significant memory allocation cost which might dwarf the extra checking

jrudolph · 2021-11-02T11:05:18Z

#3922 adds a general solution that checks headers for invalid characters while rendering and if occurred drops those headers.

…a#3922) Refs akka#3717 To avoid accidental response splitting when applications put unsanitized request data into outgoing responses. We previously discussed introducing a check in the header models which could avoid overhead during rendering. There are a lot of header models, however, which all had to be checked one by one for potential issues. This would require a significant effort now to check all the existing headers and would also make it easy to reintroduce problems later on when headers are added or changed. The approach here requires that all headers are rendered using the new overload of `Rendering.~~`. When that method is used, we render the header and check afterwards that the rendered data does not contain any CR or LF characters. The performance overhead seems negligible, the new method did not turn up in profiling. An explanation why going over the rendered header data directly after it has been rendered is so cheap could be that - it has good locality because the data has just been written - it has good branch prediction because test will almost never fail - even if it has linear cost for big headers, those big headers will also have significant memory allocation cost which might dwarf the extra checking (cherry picked from commit afecb31)

nitikagarw mentioned this issue Feb 20, 2021

Prevent the serialization of header containing a line terminator #3763

Closed

jrudolph mentioned this issue Jul 8, 2021

Newlines in headers cause invalid HTTP #3868

Closed

jrudolph mentioned this issue Oct 25, 2021

core: discard outgoing headers containing line breaks #3922

Merged

jrudolph added this to the 10.2.7 milestone Nov 2, 2021

jrudolph closed this as completed Nov 2, 2021

jrudolph mentioned this issue Nov 18, 2021

[10.1 backport] core: discard outgoing headers containing line breaks (#3922) #3943

Merged

jrudolph mentioned this issue Jun 24, 2022

New lines in RawHeader #4136

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Prevent the serialization of header containing a line terminator #3717

Prevent the serialization of header containing a line terminator #3717

gontard commented Jan 4, 2021

jrudolph commented Feb 1, 2021

gontard commented Feb 4, 2021

nitikagarw commented Feb 5, 2021

jrudolph commented Feb 15, 2021

nitikagarw commented Feb 20, 2021

jrudolph commented Nov 2, 2021

Prevent the serialization of header containing a line terminator #3717

Prevent the serialization of header containing a line terminator #3717

Comments

gontard commented Jan 4, 2021

jrudolph commented Feb 1, 2021

gontard commented Feb 4, 2021

nitikagarw commented Feb 5, 2021

jrudolph commented Feb 15, 2021

nitikagarw commented Feb 20, 2021

jrudolph commented Nov 2, 2021