He-Pin opened a new issue, #1087: URL: https://github.com/apache/pekko-http/issues/1087
### Motivation Netty PR [#16971](https://github.com/netty/netty/pull/16971) fixes an HTTP request-smuggling vulnerability: `HttpVersion.valueOf()` called `String.trim()` before matching the version token, which silently stripped boundary control bytes (NUL, CR, LF, VT, FF) and allowed requests like `GET / \x00HTTP/1.1` to decode as clean HTTP/1.1. Pekko HTTP uses a fundamentally different parsing strategy — byte-by-byte exact matching at fixed offsets in `HttpMessageParser.parseProtocol` (`HttpMessageParser.scala:130-140`) with no `trim()` or whitespace/control-character stripping. Analysis confirms that Pekko HTTP is **not affected** by this vulnerability: the NUL byte is consumed into the URI by `parseRequestTarget` and rejected by the URI parser before the version token is ever reached. However, no existing test in `RequestParserSpec` exercises this code path with control characters. A directional test should be added to lock in this behavior and prevent regressions from future parsing refactors. ### Modification Add directional test cases to `RequestParserSpec` that verify control characters (NUL) in the request line are rejected with an appropriate error status. ### Result The test suite will explicitly cover the control-character-in-request-line scenario, ensuring that Pekko HTTP continues to reject such malformed requests and that any future parsing changes do not introduce a Netty-style `trim()` vulnerability. ### References - Netty PR: https://github.com/netty/netty/pull/16971 - Netty issue: https://github.com/netty/netty/issues/16970 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
