server/contexts/token/token.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -10,27 +10,25 @@ import ( @@
     type key int
-    const tokenKey key = 0
+    const (
+    	tokenKey       key = 0
+    	tokenDelimiter     = " "
+    )
     // Token is the concrete type that represents Fleet session tokens
     type Token string
     // FromHTTPRequest extracts an Authorization
     // from an HTTP request if present.
     func FromHTTPRequest(r *http.Request) Token {
-    	headers := r.Header.Get("Authorization")
-    	headerParts := strings.Split(headers, " ")
-    	if len(headerParts) > 0 && strings.ToUpper(headerParts[0]) == "BEARER" {
-    		if len(headerParts) == 2 {
-    			return Token(headerParts[1])
-    		}
-    		// This indicates "no token". We don't want to read the request-body here.
-    		return ""
-    	}
-    	if err := r.ParseForm(); err != nil {
-    		return ""
+    	authHeader := r.Header.Get("Authorization")
+    	headerCouple, ok := parseHeaderLimited(authHeader)
+    	if ok && strings.ToUpper(headerCouple[0]) == "BEARER" {
+    		// If the Authorization header is present and properly formatted, return the token.
+    		// Preserve case-insensitivity for "Bearer" prefix while case-sensitivity for the token value
+    		return Token(headerCouple[1])
     	}
-    	return Token(r.FormValue("token"))
+    	return ""
     }
     // NewContext returns a new context carrying the Authorization Bearer token.
@@ Expand All / @@ -46,3 +44,24 @@ func FromContext(ctx context.Context) (Token, bool) { @@
     	token, ok := ctx.Value(tokenKey).(Token)
     	return token, ok
     }
+    // parseHeaderLimited splits an authHeader into exactly two parts or nil, and returns an ok boolean indicating whether the passed in authHeader did have exactly 2 parts. If it did not, nil and false are returned.
+    func parseHeaderLimited(authHeader string) ([]string, bool) {
+    	parts := make([]string, 2)
+    	pre, remain, foundDelimiter := strings.Cut(authHeader, tokenDelimiter)
+    	if !foundDelimiter {
+    		return nil, false
+    	}
+    	parts[0] = pre
+    	// Ensure the token value is the last part of the string and there are no more
+    	// delimiters. This avoids an issue where malicious input could contain additional delimiters
+    	// causing unnecessary overhead parsing tokens.
+    	post, _, unexpectedDelimiterFound := strings.Cut(remain, tokenDelimiter)
+    	if unexpectedDelimiterFound {
+    		// more than 2 parts
+    		return nil, false
+    	}
+    	parts[1] = post
+    	return parts, true
+    }

server/contexts/token/token_test.go

-Original file line number
+Diff line change
@@ Expand Up / @@ -57,7 +57,40 @@ func TestFromHTTPRequest(t *testing.T) { @@
     				Method: http.MethodPost,
     				Body:   io.NopCloser(strings.NewReader("token=bar")),
     			},
-    			want: "bar",
+    			want: "", // no longer support parsing token from request body
+    		}, {
+    			name: "BEARER with 3 parts",
+    			r: &http.Request{
+    				Header: map[string][]string{
+    					"Authorization": {"BEARER foobar extra"},
+    					"Content-Type":  {"application/x-www-form-urlencoded"},
+    				},
+    				Method: http.MethodPost,
+    				Body:   io.NopCloser(strings.NewReader("token=bar")),
+    			},
+    			want: "",
+    		}, {
+    			name: "BEARER with multiple extra parts",
+    			r: &http.Request{
+    				Header: map[string][]string{
+    					"Authorization": {"BEARER foobar extra parts here"},
+    					"Content-Type":  {"application/x-www-form-urlencoded"},
+    				},
+    				Method: http.MethodPost,
+    				Body:   io.NopCloser(strings.NewReader("token=bar")),
+    			},
+    			want: "",
+    		}, {
+    			name: "bearer lowercase with extra parts",
+    			r: &http.Request{
+    				Header: map[string][]string{
+    					"Authorization": {"bearer foobar extra"},
+    					"Content-Type":  {"application/x-www-form-urlencoded"},
+    				},
+    				Method: http.MethodPost,
+    				Body:   io.NopCloser(strings.NewReader("token=bar")),
+    			},
+    			want: "",
     		},
     	}
     	for _, tt := range tests {
@@ Expand Down @@

Safely split incoming request headers, remove support for token presence in request body #39427

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

jacobshandling merged 8 commits into main from prevent-potentially-unbounded-splits

Feb 18, 2026

-Original file line number
+Diff line change
@@ Expand Up / @@ -10,27 +10,25 @@ import ( @@
     type key int
-    const tokenKey key = 0
+    const (
+    	tokenKey       key = 0
+    	tokenDelimiter     = " "
+    )
     // Token is the concrete type that represents Fleet session tokens
     type Token string
     // FromHTTPRequest extracts an Authorization
     // from an HTTP request if present.
     func FromHTTPRequest(r *http.Request) Token {
-    	headers := r.Header.Get("Authorization")
-    	headerParts := strings.Split(headers, " ")
-    	if len(headerParts) > 0 && strings.ToUpper(headerParts[0]) == "BEARER" {
-    		if len(headerParts) == 2 {
-    			return Token(headerParts[1])
-    		}
-    		// This indicates "no token". We don't want to read the request-body here.
-    		return ""
-    	}
-    	if err := r.ParseForm(); err != nil {
-    		return ""
+    	authHeader := r.Header.Get("Authorization")
+    	headerCouple, ok := parseHeaderLimited(authHeader)
+    	if ok && strings.ToUpper(headerCouple[0]) == "BEARER" {
+    		// If the Authorization header is present and properly formatted, return the token.
+    		// Preserve case-insensitivity for "Bearer" prefix while case-sensitivity for the token value
+    		return Token(headerCouple[1])
     	}
-    	return Token(r.FormValue("token"))
+    	return ""
     }
     // NewContext returns a new context carrying the Authorization Bearer token.
@@ Expand All / @@ -46,3 +44,24 @@ func FromContext(ctx context.Context) (Token, bool) { @@
     	token, ok := ctx.Value(tokenKey).(Token)
     	return token, ok
     }
+    // parseHeaderLimited splits an authHeader into exactly two parts or nil, and returns an ok boolean indicating whether the passed in authHeader did have exactly 2 parts. If it did not, nil and false are returned.
+    func parseHeaderLimited(authHeader string) ([]string, bool) {
+    	parts := make([]string, 2)
+    	pre, remain, foundDelimiter := strings.Cut(authHeader, tokenDelimiter)
+    	if !foundDelimiter {
+    		return nil, false
+    	}
+    	parts[0] = pre
+    	// Ensure the token value is the last part of the string and there are no more
+    	// delimiters. This avoids an issue where malicious input could contain additional delimiters
+    	// causing unnecessary overhead parsing tokens.
+    	post, _, unexpectedDelimiterFound := strings.Cut(remain, tokenDelimiter)
+    	if unexpectedDelimiterFound {
+    		// more than 2 parts
+    		return nil, false
+    	}
+    	parts[1] = post
+    	return parts, true
+    }

-Original file line number
+Diff line change
@@ Expand Up / @@ -57,7 +57,40 @@ func TestFromHTTPRequest(t *testing.T) { @@
     				Method: http.MethodPost,
     				Body:   io.NopCloser(strings.NewReader("token=bar")),
     			},
-    			want: "bar",
+    			want: "", // no longer support parsing token from request body
+    		}, {
+    			name: "BEARER with 3 parts",
+    			r: &http.Request{
+    				Header: map[string][]string{
+    					"Authorization": {"BEARER foobar extra"},
+    					"Content-Type":  {"application/x-www-form-urlencoded"},
+    				},
+    				Method: http.MethodPost,
+    				Body:   io.NopCloser(strings.NewReader("token=bar")),
+    			},
+    			want: "",
+    		}, {
+    			name: "BEARER with multiple extra parts",
+    			r: &http.Request{
+    				Header: map[string][]string{
+    					"Authorization": {"BEARER foobar extra parts here"},
+    					"Content-Type":  {"application/x-www-form-urlencoded"},
+    				},
+    				Method: http.MethodPost,
+    				Body:   io.NopCloser(strings.NewReader("token=bar")),
+    			},
+    			want: "",
+    		}, {
+    			name: "bearer lowercase with extra parts",
+    			r: &http.Request{
+    				Header: map[string][]string{
+    					"Authorization": {"bearer foobar extra"},
+    					"Content-Type":  {"application/x-www-form-urlencoded"},
+    				},
+    				Method: http.MethodPost,
+    				Body:   io.NopCloser(strings.NewReader("token=bar")),
+    			},
+    			want: "",
     		},
     	}
     	for _, tt := range tests {
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Safely split incoming request headers, remove support for token presence in request body #39427

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!