Reject DATA Frames for invalid path requests #4405
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Motivation: If a request with an invalid path such as `/?download=../../secret.txt` and a DATA Frame is received, a `ClassCastException` can be raised. ``` java.lang.ClassCastException: class com.linecorp.armeria.server.EmptyContentDecodedHttpRequest cannot be cast to class com.linecorp.armeria.server.DecodedHttpRequestWriter (com.linecorp.armeria.server.EmptyContentDecodedHttpRequest and com.linecorp.armeria.server.DecodedHttpRequestWriter are in unnamed module of loader org.springframework.boot.loader.LaunchedURLClassLoader @301eda63) at com.linecorp.armeria.server.Http2RequestDecoder.onDataRead(Http2RequestDecoder.java:265) at io.netty.handler.codec.http2.Http2FrameListenerDecorator.onDataRead(Http2FrameListenerDecorator.java:36) at io.netty.handler.codec.http2.Http2EmptyDataFrameListener.onDataRead(Http2EmptyDataFrameListener.java:49) at io.netty.handler.codec.http2.DefaultHttp2ConnectionDecoder$FrameReadListener.onDataRead(DefaultHttp2ConnectionDecoder.java:307) at io.netty.handler.codec.http2.Http2InboundFrameLogger$1.onDataRead(Http2InboundFrameLogger.java:48) ``` Although a response is immediately sent by `HttpServerHandler` for the invalid path when the headers are received and try to close the stream, `onDataRead()` callback could be triggered by the following DATA frame. Because the stream could not be closed yet. https://github.com/line/armeria/blob/master/core/src/main/java/com/linecorp/armeria/server/Http2RequestDecoder.java#L242-L244 Modification: - Rejects the following DATA frames and HEADERS frames of invalid path requests with `PROTOCOL_ERROR`. Result: You no longer see `ClassCastException` when an invalid path request is recevied.
jrhee17
reviewed
Sep 1, 2022
| @@ -182,6 +182,10 @@ public void onHeadersRead(ChannelHandlerContext ctx, int streamId, Http2Headers | |||
| ctx.fireChannelRead(req); | |||
| } | |||
| } else { | |||
| if (!(req instanceof DecodedHttpRequestWriter)) { | |||
| throw connectionError(PROTOCOL_ERROR, | |||
There was a problem hiding this comment.
Question) Is it correct behavior to close the connection rather than return a 4xx response?
If a malicious user decides to continuously send these type of requests, will other requests on the same connection be penalized?
There was a problem hiding this comment.
Good point.
4xx response might be returned already by HttpServerHandler. So we don't need to return a response here.
Is it better to silently ignore the incoming DATA frames?
There was a problem hiding this comment.
If a malicious user decides to continuously send these type of requests, will other requests on the same connection be penalized?
For the protocol violations or unexpected errors, a connection is reset with writeErrorResponse().
For example, if a malicious user sends a wrong content-length, the connection which the request was sent will be closed as well.
However, the HttpServerHandler who handled the request did not close the connection. So it makes more sense to keep the connection.
There was a problem hiding this comment.
For example, if a malicious user sends a wrong content-length, the connection which the request was sent will be closed as well.
Maybe I misunderstood the current codebase, but wouldn't only the stream be closed in this case?
Since the connection will be closed only if streamId == 0
Anyways, sorry about the late check. I agree with the approach 👍
core/src/main/java/com/linecorp/armeria/server/Http2RequestDecoder.java
Outdated
Show resolved
Hide resolved
core/src/main/java/com/linecorp/armeria/server/HttpServerHandler.java
Outdated
Show resolved
Hide resolved
ikhoon
force-pushed
the
invalid-request-with-data
branch
from
63bed1b
to
82eefb7
Compare
|
Thanks to @tawAsh1 who reports the bug. 🙇♂️ |
jrhee17
approved these changes
Sep 1, 2022
Codecov Report
@@ Coverage Diff @@
## master #4405 +/- ##
============================================
- Coverage 73.80% 73.79% -0.02%
+ Complexity 17713 17709 -4
============================================
Files 1509 1509
Lines 66198 66205 +7
Branches 8313 8315 +2
============================================
- Hits 48860 48853 -7
- Misses 13330 13345 +15
+ Partials 4008 4007 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
heowc
pushed a commit
to heowc/armeria
that referenced
this pull request
Sep 24, 2022
Motivation: If a request with an invalid path such as `/?download=../../secret.txt` and a DATA Frame is received, a `ClassCastException` can be raised. ``` java.lang.ClassCastException: class com.linecorp.armeria.server.EmptyContentDecodedHttpRequest cannot be cast to class com.linecorp.armeria.server.DecodedHttpRequestWriter (com.linecorp.armeria.server.EmptyContentDecodedHttpRequest and com.linecorp.armeria.server.DecodedHttpRequestWriter are in unnamed module of loader org.springframework.boot.loader.LaunchedURLClassLoader @301eda63) at com.linecorp.armeria.server.Http2RequestDecoder.onDataRead(Http2RequestDecoder.java:265) at io.netty.handler.codec.http2.Http2FrameListenerDecorator.onDataRead(Http2FrameListenerDecorator.java:36) at io.netty.handler.codec.http2.Http2EmptyDataFrameListener.onDataRead(Http2EmptyDataFrameListener.java:49) at io.netty.handler.codec.http2.DefaultHttp2ConnectionDecoder$FrameReadListener.onDataRead(DefaultHttp2ConnectionDecoder.java:307) at io.netty.handler.codec.http2.Http2InboundFrameLogger$1.onDataRead(Http2InboundFrameLogger.java:48) ``` Although a response is immediately sent by `HttpServerHandler` for the invalid path when the headers are received and try to close the stream, `onDataRead()` callback could be triggered by the following DATA frame. Because the stream could not be closed yet. https://github.com/line/armeria/blob/b9dc1ad1c6f4cfee8aba8e50a61d203c37eb94cc/core/src/main/java/com/linecorp/armeria/server/Http2RequestDecoder.java?rgh-link-date=2022-09-01T06%3A34%3A32Z#L242-L244 Modifications: - Rejects the following DATA frames and HEADERS frames of invalid path requests with `PROTOCOL_ERROR`. Result: You no longer see `ClassCastException` when an invalid path request is received.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation:
If a request with an invalid path such as
/?download=../../secret.txtand a DATA Frame is received, a
ClassCastExceptioncan be raised.Although a response is immediately sent by
HttpServerHandlerforthe invalid path when the headers are received and try to close the stream,
onDataRead()callback could be triggered by the following DATA frame.Because the stream could not be closed yet.
armeria/core/src/main/java/com/linecorp/armeria/server/Http2RequestDecoder.java
Lines 242 to 244 in b9dc1ad
Modifications:
requests with
PROTOCOL_ERROR.Result:
You no longer see
ClassCastExceptionwhen an invalid path request isreceived.