UNDERTOW-881 AJP and HTTP/2 listeners ignore max header and parameter…

… limits

core/src/main/java/io/undertow/UndertowMessages.java

@@ -150,7 +150,7 @@ public interface UndertowMessages {
     RuntimeException tooManyQueryParameters(int noParams);
 
     @Message(id = 40, value = "To many headers, cannot have more than %s header")
-    RuntimeException tooManyHeaders(int noParams);
+    String tooManyHeaders(int noParams);
 
     @Message(id = 41, value = "Channel is closed")
     ClosedChannelException channelIsClosed();

core/src/main/java/io/undertow/UndertowOptions.java

@@ -77,6 +77,8 @@ public class UndertowOptions {
      */
     public static final Option<Integer> NO_REQUEST_TIMEOUT = Option.simple(UndertowOptions.class, "NO_REQUEST_TIMEOUT", Integer.class);
 
+    public static final int DEFAULT_MAX_PARAMETERS = 1000;
+
     /**
      * The maximum number of parameters that will be parsed. This is used to protect against hash vulnerabilities.
      * <p>
@@ -87,6 +89,8 @@ public class UndertowOptions {
      */
     public static final Option<Integer> MAX_PARAMETERS = Option.simple(UndertowOptions.class, "MAX_PARAMETERS", Integer.class);
 
+    public static final int DEFAULT_MAX_HEADERS = 200;
+
     /**
      * The maximum number of headers that will be parsed. This is used to protect against hash vulnerabilities.
      * <p>

core/src/main/java/io/undertow/protocols/alpn/OpenSSLAlpnProvider.java

@@ -50,7 +50,7 @@ public OpenSSLALPNMethods run() {
                     UndertowLogger.ROOT_LOGGER.debug("OpenSSL ALPN Enabled");
                     return new OpenSSLALPNMethods(setApplicationProtocols, getApplicationProtocol);
                 } catch (Throwable e) {
-                    UndertowLogger.ROOT_LOGGER.debug("OpenSSL ALPN Enabled", e);
+                    UndertowLogger.ROOT_LOGGER.debug("OpenSSL ALPN disabled", e);
                     return null;
                 }
             }

core/src/main/java/io/undertow/protocols/http2/Http2Channel.java

@@ -137,6 +137,7 @@ public class Http2Channel extends AbstractFramedChannel<Http2Channel, AbstractHt
     private int sendMaxFrameSize = DEFAULT_MAX_FRAME_SIZE;
     private int receiveMaxFrameSize = DEFAULT_MAX_FRAME_SIZE;
     private int unackedReceiveMaxFrameSize = DEFAULT_MAX_FRAME_SIZE; //the old max frame size, this gets updated when our setting frame is acked
+    private final int maxHeaders;
 
     /**
      * How much data we have told the remote endpoint we are prepared to accept.
@@ -189,6 +190,7 @@ public Http2Channel(StreamConnection connectedStreamChannel, String protocol, By
         this.initialReceiveWindowSize = settings.get(UndertowOptions.HTTP2_SETTINGS_INITIAL_WINDOW_SIZE, DEFAULT_INITIAL_WINDOW_SIZE);
 
         this.protocol = protocol == null ? Http2OpenListener.HTTP2 : protocol;
+        this.maxHeaders = settings.get(UndertowOptions.MAX_HEADERS, clientSide ? -1 : UndertowOptions.DEFAULT_MAX_HEADERS);
 
         encoderHeaderTableSize = settings.get(UndertowOptions.HTTP2_SETTINGS_HEADER_TABLE_SIZE, Hpack.DEFAULT_TABLE_SIZE);
         receiveMaxFrameSize = settings.get(UndertowOptions.HTTP2_SETTINGS_MAX_FRAME_SIZE, DEFAULT_MAX_FRAME_SIZE);
@@ -837,6 +839,10 @@ HpackDecoder getDecoder() {
         return decoder;
     }
 
+    int getMaxHeaders() {
+        return maxHeaders;
+    }
+
     int getPaddingBytes() {
         if(paddingRandom == null) {
             return 0;

core/src/main/java/io/undertow/protocols/http2/Http2FrameHeaderParser.java

@@ -85,7 +85,7 @@ public boolean handle(final ByteBuffer byteBuffer) throws IOException {
                     if (streamId == 0) {
                         throw new ConnectionErrorException(Http2Channel.ERROR_PROTOCOL_ERROR, UndertowMessages.MESSAGES.streamIdMustNotBeZeroForFrameType(Http2Channel.FRAME_TYPE_HEADERS));
                     }
-                    parser = new Http2HeadersParser(length, http2Channel.getDecoder(), http2Channel.isClient(), streamId);
+                    parser = new Http2HeadersParser(length, http2Channel.getDecoder(), http2Channel.isClient(), http2Channel.getMaxHeaders(), streamId);
                     if(allAreClear(flags, Http2Channel.HEADERS_FLAG_END_HEADERS)) {
                         continuationParser = (Http2HeadersParser) parser;
                     }
@@ -112,7 +112,7 @@ public boolean handle(final ByteBuffer byteBuffer) throws IOException {
                     break;
                 }
                 case FRAME_TYPE_PUSH_PROMISE: {
-                    parser = new Http2PushPromiseParser(length, http2Channel.getDecoder(), http2Channel.isClient(), streamId);
+                    parser = new Http2PushPromiseParser(length, http2Channel.getDecoder(), http2Channel.isClient(), http2Channel.getMaxHeaders(), streamId);
                     if(allAreClear(flags, Http2Channel.HEADERS_FLAG_END_HEADERS)) {
                         continuationParser = (Http2HeadersParser) parser;
                     }

core/src/main/java/io/undertow/protocols/http2/Http2HeaderBlockParser.java

@@ -47,6 +47,7 @@ abstract class Http2HeaderBlockParser extends Http2PushBackParser implements Hpa
     private boolean invalid = false;
     private boolean processingPseudoHeaders = true;
     private final boolean client;
+    private final int maxHeaders;
 
     private int currentPadding;
     private final int streamId;
@@ -63,15 +64,19 @@ abstract class Http2HeaderBlockParser extends Http2PushBackParser implements Hpa
         SERVER_HEADERS = Collections.unmodifiableSet(server);
     }
 
-    Http2HeaderBlockParser(int frameLength, HpackDecoder decoder, boolean client, int streamId) {
+    Http2HeaderBlockParser(int frameLength, HpackDecoder decoder, boolean client, int maxHeaders, int streamId) {
         super(frameLength);
         this.decoder = decoder;
         this.client = client;
+        this.maxHeaders = maxHeaders;
         this.streamId = streamId;
     }
 
     @Override
     protected void handleData(ByteBuffer resource, Http2FrameHeaderParser header) throws IOException {
+        if(maxHeaders > 0 && headerMap.size() >= maxHeaders) {
+            throw new IOException(UndertowMessages.MESSAGES.tooManyHeaders(maxHeaders));
+        }
         boolean continuationFramesComing = Bits.anyAreClear(header.flags, Http2Channel.HEADERS_FLAG_END_HEADERS);
         if (frameRemaining == -1) {
             frameRemaining = header.length;

core/src/main/java/io/undertow/protocols/http2/Http2HeadersParser.java

@@ -35,8 +35,8 @@ class Http2HeadersParser extends Http2HeaderBlockParser {
     private boolean headersEndStream = false;
     private boolean exclusive;
 
-    Http2HeadersParser(int frameLength, HpackDecoder hpackDecoder, boolean client, int streamId) {
-        super(frameLength, hpackDecoder, client, streamId);
+    Http2HeadersParser(int frameLength, HpackDecoder hpackDecoder, boolean client,int maxHeaders, int streamId) {
+        super(frameLength, hpackDecoder, client, maxHeaders, streamId);
     }
 
     @Override

core/src/main/java/io/undertow/protocols/http2/Http2PushPromiseParser.java

@@ -33,8 +33,8 @@ class Http2PushPromiseParser extends Http2HeaderBlockParser {
     private int promisedStreamId;
     private static final int STREAM_MASK = ~(1 << 7);
 
-    Http2PushPromiseParser(int frameLength, HpackDecoder hpackDecoder, boolean client, int streamId) {
-        super(frameLength, hpackDecoder, client, streamId);
+    Http2PushPromiseParser(int frameLength, HpackDecoder hpackDecoder, boolean client, int maxHeaders, int streamId) {
+        super(frameLength, hpackDecoder, client, maxHeaders, streamId);
     }
 
     @Override

core/src/main/java/io/undertow/server/Connectors.java

@@ -19,6 +19,7 @@
 package io.undertow.server;
 
 import io.undertow.UndertowLogger;
+import io.undertow.UndertowOptions;
 import io.undertow.server.handlers.Cookie;
 import io.undertow.util.DateUtils;
 import io.undertow.util.Headers;
@@ -236,15 +237,25 @@ public static void executeRootHandler(final HttpHandler handler, final HttpServe
         }
     }
 
-
     /**
      * Sets the request path and query parameters, decoding to the requested charset.
      *
      * @param exchange    The exchange
      * @param encodedPath        The encoded path
      * @param charset     The charset
      */
+    @Deprecated
     public static void setExchangeRequestPath(final HttpServerExchange exchange, final String encodedPath, final String charset, boolean decode, final boolean allowEncodedSlash, StringBuilder decodeBuffer) {
+        setExchangeRequestPath(exchange, encodedPath, charset, decode, allowEncodedSlash, decodeBuffer, exchange.getConnection().getUndertowOptions().get(UndertowOptions.MAX_PARAMETERS, UndertowOptions.DEFAULT_MAX_PARAMETERS));
+    }
+        /**
+         * Sets the request path and query parameters, decoding to the requested charset.
+         *
+         * @param exchange    The exchange
+         * @param encodedPath        The encoded path
+         * @param charset     The charset
+         */
+    public static void setExchangeRequestPath(final HttpServerExchange exchange, final String encodedPath, final String charset, boolean decode, final boolean allowEncodedSlash, StringBuilder decodeBuffer, int maxParameters) {
         boolean requiresDecode = false;
         for (int i = 0; i < encodedPath.length(); ++i) {
             char c = encodedPath.charAt(i);
@@ -261,7 +272,7 @@ public static void setExchangeRequestPath(final HttpServerExchange exchange, fin
                 exchange.setRequestURI(encodedPart);
                 final String qs = encodedPath.substring(i + 1);
                 exchange.setQueryString(qs);
-                URLUtils.parseQueryString(qs, exchange, charset, decode);
+                URLUtils.parseQueryString(qs, exchange, charset, decode, maxParameters);
                 return;
             } else if(c == ';') {
                 String part;
@@ -277,15 +288,15 @@ public static void setExchangeRequestPath(final HttpServerExchange exchange, fin
                     if (encodedPath.charAt(j) == '?') {
                         exchange.setRequestURI(encodedPath.substring(0, j));
                         String pathParams = encodedPath.substring(i + 1, j);
-                        URLUtils.parsePathParms(pathParams, exchange, charset, decode);
+                        URLUtils.parsePathParms(pathParams, exchange, charset, decode, maxParameters);
                         String qs = encodedPath.substring(j + 1);
                         exchange.setQueryString(qs);
-                        URLUtils.parseQueryString(qs, exchange, charset, decode);
+                        URLUtils.parseQueryString(qs, exchange, charset, decode, maxParameters);
                         return;
                     }
                 }
                 exchange.setRequestURI(encodedPath);
-                URLUtils.parsePathParms(encodedPath.substring(i + 1), exchange, charset, decode);
+                URLUtils.parsePathParms(encodedPath.substring(i + 1), exchange, charset, decode, maxParameters);
                 return;
             } else if(c == '%' || c == '+') {
                 requiresDecode = true;

core/src/main/java/io/undertow/server/protocol/ajp/AjpOpenListener.java

@@ -90,7 +90,7 @@ public AjpOpenListener(final ByteBufferPool pool, final OptionMap undertowOption
         PooledByteBuffer buf = pool.allocate();
         this.bufferSize = buf.getBuffer().remaining();
         buf.close();
-        parser = new AjpRequestParser(undertowOptions.get(URL_CHARSET, StandardCharsets.UTF_8.name()), undertowOptions.get(DECODE_URL, true));
+        parser = new AjpRequestParser(undertowOptions.get(URL_CHARSET, StandardCharsets.UTF_8.name()), undertowOptions.get(DECODE_URL, true), undertowOptions.get(UndertowOptions.MAX_PARAMETERS, UndertowOptions.DEFAULT_MAX_PARAMETERS), undertowOptions.get(UndertowOptions.MAX_HEADERS, UndertowOptions.DEFAULT_MAX_HEADERS));
         connectorStatistics = new ConnectorStatisticsImpl();
         statisticsEnabled = undertowOptions.get(UndertowOptions.ENABLE_CONNECTOR_STATISTICS, false);
     }
@@ -165,7 +165,7 @@ public void setUndertowOptions(final OptionMap undertowOptions) {
         }
         this.undertowOptions = undertowOptions;
         statisticsEnabled = undertowOptions.get(UndertowOptions.ENABLE_CONNECTOR_STATISTICS, false);
-        parser = new AjpRequestParser(undertowOptions.get(URL_CHARSET, StandardCharsets.UTF_8.name()), undertowOptions.get(DECODE_URL, true));
+        parser = new AjpRequestParser(undertowOptions.get(URL_CHARSET, StandardCharsets.UTF_8.name()), undertowOptions.get(DECODE_URL, true), undertowOptions.get(UndertowOptions.MAX_PARAMETERS, UndertowOptions.DEFAULT_MAX_PARAMETERS), undertowOptions.get(UndertowOptions.MAX_HEADERS, UndertowOptions.DEFAULT_MAX_HEADERS));
     }
 
     @Override

core/src/main/java/io/undertow/server/protocol/ajp/AjpRequestParser.java

@@ -67,6 +67,8 @@ public class AjpRequestParser {
 
     private final String encoding;
     private final boolean doDecode;
+    private final int maxParameters;
+    private final int maxHeaders;
 
     private static final HttpString[] HTTP_HEADERS;
 
@@ -169,13 +171,15 @@ public class AjpRequestParser {
         ATTRIBUTES[13] = STORED_METHOD;
     }
 
-    public AjpRequestParser(String encoding, boolean doDecode) {
+    public AjpRequestParser(String encoding, boolean doDecode, int maxParameters, int maxHeaders) {
         this.encoding = encoding;
         this.doDecode = doDecode;
+        this.maxParameters = maxParameters;
+        this.maxHeaders = maxHeaders;
     }
 
 
-    public void parse(final ByteBuffer buf, final AjpRequestParseState state, final HttpServerExchange exchange) throws IOException {
+    public void parse(final ByteBuffer buf, final AjpRequestParseState state, final HttpServerExchange exchange) throws IOException, BadRequestException {
         if (!buf.hasRemaining()) {
             return;
         }
@@ -250,7 +254,7 @@ public void parse(final ByteBuffer buf, final AjpRequestParseState state, final
                         exchange.setRequestURI(result.value);
                         exchange.setRequestPath(res);
                         exchange.setRelativePath(res);
-                        URLUtils.parsePathParms(result.value.substring(colon + 1), exchange, encoding, doDecode && result.containsUrlCharacters);
+                        URLUtils.parsePathParms(result.value.substring(colon + 1), exchange, encoding, doDecode && result.containsUrlCharacters, maxParameters);
                     }
                 } else {
                     state.state = AjpRequestParseState.READING_REQUEST_URI;
@@ -313,6 +317,9 @@ public void parse(final ByteBuffer buf, final AjpRequestParseState state, final
                     return;
                 } else {
                     state.numHeaders = result.value;
+                    if(state.numHeaders > maxHeaders) {
+                        throw new BadRequestException(UndertowMessages.MESSAGES.tooManyHeaders(state.numHeaders));
+                    }
                 }
             }
             case AjpRequestParseState.READING_HEADERS: {
@@ -394,7 +401,7 @@ public void parse(final ByteBuffer buf, final AjpRequestParseState state, final
                     if (state.currentAttribute.equals(QUERY_STRING)) {
                         String resultAsQueryString = result == null ? "" : result;
                         exchange.setQueryString(resultAsQueryString);
-                        URLUtils.parseQueryString(resultAsQueryString, exchange, encoding, doDecode);
+                        URLUtils.parseQueryString(resultAsQueryString, exchange, encoding, doDecode, maxParameters);
                     } else if (state.currentAttribute.equals(REMOTE_USER)) {
                         exchange.putAttachment(ExternalAuthenticationMechanism.EXTERNAL_PRINCIPAL, result);
                     } else if (state.currentAttribute.equals(AUTH_TYPE)) {
@@ -555,6 +562,11 @@ enum StringType {
         URL,
         QUERY_STRING,
         OTHER
+    }
 
+    public static class BadRequestException extends Exception {
+        public BadRequestException(String msg) {
+            super(msg);
+        }
     }
 }