He-Pin opened a new pull request, #1088: URL: https://github.com/apache/pekko-http/pull/1088
### Motivation Netty PR [#16971](https://github.com/netty/netty/pull/16971) fixed an HTTP request-smuggling vulnerability: `HttpVersion.valueOf()` called `String.trim()` before matching the version token, silently stripping boundary control bytes (NUL, CR, LF, VT, FF) and allowing requests like `GET / \x00HTTP/1.1` to decode as clean HTTP/1.1. Pekko HTTP uses byte-level exact matching at fixed offsets in `HttpMessageParser.parseProtocol` (`HttpMessageParser.scala:130-140`) — no `trim()` or whitespace/control-character stripping. Analysis confirms Pekko HTTP is **not affected** by this vulnerability: a NUL byte in the request line is consumed into the URI by `parseRequestTarget` and rejected by the URI parser before the version token is ever reached. However, no existing test in `RequestParserSpec` exercises this code path with control characters. This PR adds a directional test to lock in the behavior and prevent regressions from future parsing refactors. ### Modification Add a directional test case `"a NUL byte in the request target (Netty PR #16971 analogue)"` in `RequestParserSpec` that feeds a NUL byte inside the request target and asserts the parser rejects the request with `BadRequest` and an `"Illegal request-target"` error summary. ### Result The test suite now explicitly covers control-character rejection in the request line, guarding against regressions from future parsing refactors that might introduce `trim()`-like behavior. ### Tests - `sbt "http-core / Test / testOnly *RequestParserCRLFSpec *RequestParserLFSpec"` — 106 tests passed, 0 failed ### References - Refs #1087 - Refs https://github.com/netty/netty/pull/16971 - Refs https://github.com/netty/netty/issues/16970 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
