Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate http request and response headers when using the webclient #6515

Merged
merged 10 commits into from Jun 28, 2023
Merged

Validate http request and response headers when using the webclient #6515

merged 10 commits into from Jun 28, 2023

Conversation

klustria
Copy link
Member

@klustria klustria commented Mar 30, 2023
edited

  1. The main method for validating header value now exists in HTTP HeaderValue, so it can be reused in other places outside of WebClient, if needed.
  2. HttpCallChainBase.writeHeaders will validate both the header name and values for the HTTP request using Http.HeaderValue.validate().
  3. Http1HeadersParser.readHeaders used for parsing response headers now includes validation of header name and values using Http.HeaderValue.validate().
  4. Extensive unit test for each of the new features added.

@klustria klustria self-assigned this Mar 30, 2023
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Mar 30, 2023
@klustria
Copy link
Member Author

This PR is a potential fix for #6338

@klustria klustria mentioned this pull request Mar 30, 2023
Closed
@klustria klustria requested a review from danielkec March 30, 2023 15:42
@Verdent
Copy link
Member

Verdent commented Apr 5, 2023

I feel like it is OK, but I would like to know also your opinion @tomas-langer

@klustria klustria force-pushed the 6338_validate-request-headers_4.x branch from cb2101a to 14fb22e Compare June 20, 2023 18:58
@klustria
Merge remote-tracking branch 'upstream/main' into 6338_validate-reque…
bed4d24 
…st-headers_4.x
@klustria
Validate Webclient HTTP request and response headers. Change includes…
a03bfbd 
… the following:

1. The main method for validating header value now exists in HTTP HeaderValue, so it can be reused in other places outside of WebClient, if needed.
2. HttpCallChainBase.writeHeaders will validate both the header name and values for the HTTP request.
3. Http1HeadersParser used for parsing response headers now includes validation of header values stored as LazyString.
4. LazyString now has an option to set a customize validation so its string value can be validated when it is retrieved. For example in Http1HeadersParser, it will be utilized to validate http header value when it is retrieved from the response.
5. Extensive unit test for each of the new features added.
@klustria klustria changed the title Validate http request headers when using the webclient Validate http request and response headers when using the webclient Jun 21, 2023
@klustria
Copy link
Member Author

Please check the description section of this issue to see the list of items that are included in the change.

tomas-langer
tomas-langer reviewed Jun 22, 2023
View reviewed changes
Copy link
Member

@tomas-langer tomas-langer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should not do the change in LazyString
I think validation should be done once for all headers after they are read from the stream (both on server and on client when enabled).
We could add HeaderValue.validate(Validator) method - and make it work nicely with multi-valued headers in the right way, rather then attempting to target LazyString specifically

@klustria
Merge remote-tracking branch 'upstream/main' into 6338_validate-reque…
1ec8c2e 
…st-headers_4.x
@klustria
Remove validator from Lazy String and use HttpValue.validate() to val…
ef4d8fb 
…idate header name and value after they are parsed in Http1HeadersParser.readHeaders().

Note: HttpToken.validate() used to validate when headerName is parsed in Http1HeadersParser.readHeaderName() was removed as it is already performed in the above change.
@klustria
Merge remote-tracking branch 'upstream/main' into 6338_validate-reque…
d668099 
…st-headers_4.x
@klustria
Copy link
Member Author

We should not do the change in LazyString
I think validation should be done once for all headers after they are read from the stream (both on server and on client when enabled).
We could add HeaderValue.validate(Validator) method - and make it work nicely with multi-valued headers in the right way, rather then attempting to target LazyString specifically

With the new change, removed response header validation from LazyString and placed it in Http1HeaderParser.readHeaders after a header's name and value are parsed and using the same Http.HeaderValue.validate() that HttpCallChainBase.writeHeaders() uses to validate both the header name/values for the request Headers. Also remove name token validation in Http1HeaderParser.readHeaderName() as the name is already validated in Http.HeaderValue.validate().

@klustria klustria merged commit 3080da3 into helidon-io:main Jun 28, 2023
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomas-langer tomas-langer tomas-langer approved these changes

@Verdent Verdent Awaiting requested review from Verdent

@danielkec danielkec Awaiting requested review from danielkec

Assignees

@klustria klustria

Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@klustria @Verdent @tomas-langer