He-Pin opened a new issue, #1087:
URL: https://github.com/apache/pekko-http/issues/1087

   ### Motivation
   
   Netty PR [#16971](https://github.com/netty/netty/pull/16971) fixes an HTTP 
request-smuggling vulnerability: `HttpVersion.valueOf()` called `String.trim()` 
before matching the version token, which silently stripped boundary control 
bytes (NUL, CR, LF, VT, FF) and allowed requests like `GET / \x00HTTP/1.1` to 
decode as clean HTTP/1.1.
   
   Pekko HTTP uses a fundamentally different parsing strategy — byte-by-byte 
exact matching at fixed offsets in `HttpMessageParser.parseProtocol` 
(`HttpMessageParser.scala:130-140`) with no `trim()` or 
whitespace/control-character stripping. Analysis confirms that Pekko HTTP is 
**not affected** by this vulnerability: the NUL byte is consumed into the URI 
by `parseRequestTarget` and rejected by the URI parser before the version token 
is ever reached.
   
   However, no existing test in `RequestParserSpec` exercises this code path 
with control characters. A directional test should be added to lock in this 
behavior and prevent regressions from future parsing refactors.
   
   ### Modification
   
   Add directional test cases to `RequestParserSpec` that verify control 
characters (NUL) in the request line are rejected with an appropriate error 
status.
   
   ### Result
   
   The test suite will explicitly cover the control-character-in-request-line 
scenario, ensuring that Pekko HTTP continues to reject such malformed requests 
and that any future parsing changes do not introduce a Netty-style `trim()` 
vulnerability.
   
   ### References
   
   - Netty PR: https://github.com/netty/netty/pull/16971
   - Netty issue: https://github.com/netty/netty/issues/16970


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to