This is an automated email from the ASF dual-hosted git repository.
He-Pin pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pekko-http.git
The following commit(s) were added to refs/heads/main by this push:
new 6a9601570 test: add directional test for NUL byte in request target
(#1088)
6a9601570 is described below
commit 6a96015701a27b2c456c4d18af208662840a5bd2
Author: He-Pin(kerr) <[email protected]>
AuthorDate: Wed Jun 24 15:56:23 2026 +0800
test: add directional test for NUL byte in request target (#1088)
Motivation:
A request-smuggling class of vulnerability exists when HTTP parsers
silently strip boundary control bytes (NUL, CR, LF, VT, FF) from
the version token before matching. Pekko HTTP uses byte-level exact
matching in parseProtocol and is not affected, but no existing test
exercises this code path with control characters.
Modification:
Add a directional test in RequestParserSpec that feeds a NUL byte
inside the request target and asserts the parser rejects the request
with a BadRequest status and an "Illegal request-target" error.
Result:
The test suite now explicitly covers control-character rejection in
the request line, guarding against regressions from future parsing
refactors that might introduce trim-like behavior.
Tests:
- sbt "http-core / Test / testOnly *RequestParserCRLFSpec
*RequestParserLFSpec"
106 tests passed, 0 failed
References:
Refs #1087, Refs https://github.com/netty/netty/issues/16970
---
.../pekko/http/impl/engine/parsing/RequestParserSpec.scala | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git
a/http-core/src/test/scala/org/apache/pekko/http/impl/engine/parsing/RequestParserSpec.scala
b/http-core/src/test/scala/org/apache/pekko/http/impl/engine/parsing/RequestParserSpec.scala
index 161dda7e0..6782492d3 100644
---
a/http-core/src/test/scala/org/apache/pekko/http/impl/engine/parsing/RequestParserSpec.scala
+++
b/http-core/src/test/scala/org/apache/pekko/http/impl/engine/parsing/RequestParserSpec.scala
@@ -625,6 +625,16 @@ abstract class RequestParserSpec(mode: String, newLine:
String) extends AnyFreeS
ErrorInfo("The server does not support the HTTP protocol version
used in the request."))
}
+ "a NUL byte in the request target" in new Test {
+ val result = multiParse(newParser)(Seq("GET /\u0000HTTP/1.1
HTTP/1.1\r\n"))
+ result.length shouldEqual 1
+ result.head match {
+ case Left(MessageStartError(BadRequest, info)) =>
+ info.summary should startWith("Illegal request-target")
+ case other => fail(s"Expected BadRequest MessageStartError but got
$other")
+ }
+ }
+
"with an illegal char in a header name" in new Test {
"""GET / HTTP/1.1
|User@Agent: curl/7.19.7""" should parseToError(BadRequest,
ErrorInfo("Illegal character '@' in header name"))
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]