I sent the following email message to [email protected] about a month ago and received no response so trying my luck here:
Hi, We wanted to report that gRPC current behavior may lead to an attack similar to “parameter pollution”. When sending a request to a gRPC endpoint and repeating the same field index with the same wire type but different values, the gRPC implementation will pass to the application endpoint only the last occurrence. This behavior may lead to a situation in which proxies or WAFs which tries to make decisions according to the field value may be fooled if their protobuf parser will process the first occurrence of the field instead of the last one. In our view the expected behavior should be denying protobuf messages containing repeated instances of the same field when the field was not explicitly set with the “repeated” keyword in the proto file. Attaching the proto file we used and the message we sent. Thanks, Gal -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/5765a926-cad8-45df-92eb-84a54ef9b7e1n%40googlegroups.com.
