finagle: upgrade Netty to 4.1.67.Final

Problem: There is a new Netty release. Solution: Upgrade to netty 4.1.67.Final and netty-tcnative 2.0.40.Final Refer release notes for detail: ```https://netty.io/news/2021/08/16/4-1-67-Final.html``` There are two major changes that have affected our libraries: 1. The PoolChunk API now requires an Object "base" and no longer accepts an int "offset" See netty/netty@2071086 2. A patch for possible request smuggling now ensures that the content-length header is validated. We had been exploiting this vulnerability where we added callback information to responses without updating the content length. This is now fixed. See GHSA-wm47-8v5p-wjpj JIRA Issues: CSL-11245 Differential Revision: https://phabricator.twitter.biz/D726343
twitter · Aug 20, 2021 · c373fc0 · c373fc0
1 parent 7cd4537
commit c373fc0
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 5 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -10,6 +10,8 @@ Unreleased
 Runtime Behavior Changes
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
+* finagle: Upgrade to Netty 4.1.67.Final and netty-tcnative 2.0.40.Final. ``PHAB_ID=D726343``
+
 * finagle: Bump version of Jackson to 2.11.4. ``PHAB_ID=D727879``
 
 21.8.0 (No 21.7.0 Release)

diff --git a/build.sbt b/build.sbt
@@ -9,8 +9,8 @@ val releaseVersion = "21.9.0-SNAPSHOT"
 
 val libthriftVersion = "0.10.0"
 
-val defaultNetty4Version = "4.1.59.Final"
-val defaultNetty4StaticSslVersion = "2.0.35.Final"
+val defaultNetty4Version = "4.1.67.Final"
+val defaultNetty4StaticSslVersion = "2.0.40.Final"
 
 val useNettySnapshot: Boolean = sys.env.get("FINAGLE_USE_NETTY_4_SNAPSHOT") match {
   case Some(useSnapshot) => useSnapshot.toBoolean

diff --git a/finagle-http/src/main/scala/com/twitter/finagle/http/filter/JsonpFilter.scala b/finagle-http/src/main/scala/com/twitter/finagle/http/filter/JsonpFilter.scala
@@ -40,6 +40,11 @@ class JsonpFilter[Req <: Request] extends SimpleFilter[Req, Response] {
           )
         )
         response.mediaType = MediaType.Javascript
+        response.contentLength match {
+          case Some(len: Long) =>
+            response.contentLength = len + callback.length + JsonpFilter.ExtraCharacters
+          case None => // Likely using Transfer-Encoding instead, no-op
+        }
       }
       response
     }
@@ -69,4 +74,5 @@ object JsonpFilter extends JsonpFilter[Request] {
   private val RightParenSemicolon = Buf.Utf8(");")
   // Prepended to address CVE-2014-4671
   private val Comment = Buf.Utf8("/**/")
+  private val ExtraCharacters = 7
 }
diff --git a/finagle-netty4-http/src/main/scala/com/twitter/finagle/netty4/http/Bijections.scala b/finagle-netty4-http/src/main/scala/com/twitter/finagle/netty4/http/Bijections.scala
@@ -193,7 +193,7 @@ private[finagle] object Bijections {
           result.headers
             .add(NettyHttp.HttpHeaderNames.TRANSFER_ENCODING, NettyHttp.HttpHeaderValues.CHUNKED)
         } else {
-          // Make sure we don't have a `Transfer-Encooding: chunked` header and `Content-Length` headers
+          // Make sure we don't have a `Transfer-Encoding: chunked` header and `Content-Length` headers
           result.headers.remove(NettyHttp.HttpHeaderNames.TRANSFER_ENCODING)
         }
         result

diff --git a/finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/FinalizedSslContext.scala b/finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/FinalizedSslContext.scala
@@ -16,9 +16,9 @@ private class FinalizedSslContext(underlying: SslContext) extends SslContext {
 
   def cipherSuites(): JList[String] = underlying.cipherSuites()
 
-  def sessionCacheSize(): Long = underlying.sessionCacheSize()
+  override def sessionCacheSize(): Long = underlying.sessionCacheSize()
 
-  def sessionTimeout(): Long = underlying.sessionTimeout()
+  override def sessionTimeout(): Long = underlying.sessionTimeout()
 
   def applicationProtocolNegotiator(): ApplicationProtocolNegotiator =
     underlying.applicationProtocolNegotiator()