New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject DATA Frames for invalid path requests #4405
Merged
Merged
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
abb86de
Reject DATA Frames for invalid path requests
ikhoon ccc1165
Check style
ikhoon cf1962f
Address comments by @jrhee17
ikhoon 11c6dc8
Rename isAggregated to needsAggregation
ikhoon 82eefb7
Fix the test too
ikhoon f3471ac
Address checkstyle
ikhoon File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
104 changes: 104 additions & 0 deletions
104
core/src/test/java12/com/linecorp/armeria/server/InvalidPathWithDataTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
/* | ||
* Copyright 2022 LINE Corporation | ||
* | ||
* LINE Corporation licenses this file to you under the Apache License, | ||
* version 2.0 (the "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at: | ||
* | ||
* https://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT | ||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the | ||
* License for the specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package com.linecorp.armeria.server; | ||
|
||
import static org.assertj.core.api.Assertions.assertThat; | ||
import static org.awaitility.Awaitility.await; | ||
|
||
import java.net.http.HttpClient; | ||
import java.net.http.HttpClient.Version; | ||
import java.net.http.HttpResponse.BodyHandlers; | ||
|
||
import org.junit.jupiter.api.Test; | ||
import org.junit.jupiter.api.extension.RegisterExtension; | ||
import org.slf4j.LoggerFactory; | ||
|
||
import com.linecorp.armeria.common.HttpResponse; | ||
import com.linecorp.armeria.internal.common.AbstractHttp2ConnectionHandler; | ||
import com.linecorp.armeria.internal.common.PathAndQuery; | ||
import com.linecorp.armeria.server.logging.LoggingService; | ||
import com.linecorp.armeria.testing.junit5.server.ServerExtension; | ||
|
||
import ch.qos.logback.classic.Level; | ||
import ch.qos.logback.classic.Logger; | ||
import ch.qos.logback.classic.spi.ILoggingEvent; | ||
import ch.qos.logback.core.read.ListAppender; | ||
|
||
class InvalidPathWithDataTest { | ||
|
||
@RegisterExtension | ||
static ServerExtension server = new ServerExtension() { | ||
@Override | ||
protected void configure(ServerBuilder sb) { | ||
sb.requestTimeoutMillis(0); | ||
sb.decorator(LoggingService.newDecorator()); | ||
sb.service("/foo", (ctx, req) -> { | ||
return HttpResponse.from(req.aggregate().thenApply(agg -> HttpResponse.of(agg.contentUtf8()))); | ||
}); | ||
} | ||
}; | ||
|
||
@Test | ||
void invalidPath() throws Exception { | ||
final String invalidPath = "/foo?download=../../secret.txt"; | ||
final PathAndQuery pathAndQuery = PathAndQuery.parse(invalidPath); | ||
assertThat(pathAndQuery).isNull(); | ||
|
||
final HttpClient client = HttpClient.newHttpClient(); | ||
|
||
// Send a normal request to complete an upgrade request successfully. | ||
final java.net.http.HttpRequest normalRequest = | ||
java.net.http.HttpRequest.newBuilder() | ||
.version(Version.HTTP_2) | ||
.uri(server.httpUri().resolve("/foo")) | ||
.GET() | ||
.build(); | ||
|
||
final ListAppender<ILoggingEvent> logWatcher = new ListAppender<>(); | ||
logWatcher.start(); | ||
final Logger logger = (Logger) LoggerFactory.getLogger(AbstractHttp2ConnectionHandler.class); | ||
logger.setLevel(Level.DEBUG); | ||
logger.addAppender(logWatcher); | ||
|
||
final String bodyNormal = client.send(normalRequest, BodyHandlers.ofString()).body(); | ||
assertThat(bodyNormal).isEmpty(); | ||
|
||
final java.net.http.HttpRequest invalidRequest = | ||
java.net.http.HttpRequest.newBuilder() | ||
.version(Version.HTTP_2) | ||
.uri(server.httpUri().resolve(invalidPath)) | ||
.POST(java.net.http.HttpRequest.BodyPublishers.ofString( | ||
"Hello Armeria!")) | ||
.build(); | ||
|
||
final java.net.http.HttpResponse<String> response = | ||
client.send(invalidRequest, BodyHandlers.ofString()); | ||
assertThat(response.statusCode()).isEqualTo(400); | ||
assertThat(response.body()).contains("Invalid request path"); | ||
|
||
await().untilAsserted(() -> { | ||
assertThat(logWatcher.list) | ||
.anyMatch(event -> { | ||
final String errorMessage = event.getThrowableProxy() | ||
.getMessage(); | ||
return event.getLevel().equals(Level.WARN) && | ||
errorMessage.contains("received a DATA Frame for an invalid stream") && | ||
errorMessage.contains(invalidPath); | ||
}); | ||
}); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question) Is it correct behavior to close the connection rather than return a 4xx response?
If a malicious user decides to continuously send these type of requests, will other requests on the same connection be penalized?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point.
4xx response might be returned already by
HttpServerHandler
. So we don't need to return a response here.Is it better to silently ignore the incoming DATA frames?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the protocol violations or unexpected errors, a connection is reset with
writeErrorResponse()
.For example, if a malicious user sends a wrong
content-length
, the connection which the request was sent will be closed as well.However, the
HttpServerHandler
who handled the request did not close the connection. So it makes more sense to keep the connection.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe I misunderstood the current codebase, but wouldn't only the stream be closed in this case?
armeria/core/src/main/java/com/linecorp/armeria/server/Http2RequestDecoder.java
Line 150 in b9dc1ad
Since the connection will be closed only if
streamId == 0
Anyways, sorry about the late check. I agree with the approach 👍