He-Pin opened a new pull request, #1088:
URL: https://github.com/apache/pekko-http/pull/1088

   ### Motivation
   
   Netty PR [#16971](https://github.com/netty/netty/pull/16971) fixed an HTTP 
request-smuggling vulnerability: `HttpVersion.valueOf()` called `String.trim()` 
before matching the version token, silently stripping boundary control bytes 
(NUL, CR, LF, VT, FF) and allowing requests like `GET / \x00HTTP/1.1` to decode 
as clean HTTP/1.1.
   
   Pekko HTTP uses byte-level exact matching at fixed offsets in 
`HttpMessageParser.parseProtocol` (`HttpMessageParser.scala:130-140`) — no 
`trim()` or whitespace/control-character stripping. Analysis confirms Pekko 
HTTP is **not affected** by this vulnerability: a NUL byte in the request line 
is consumed into the URI by `parseRequestTarget` and rejected by the URI parser 
before the version token is ever reached.
   
   However, no existing test in `RequestParserSpec` exercises this code path 
with control characters. This PR adds a directional test to lock in the 
behavior and prevent regressions from future parsing refactors.
   
   ### Modification
   
   Add a directional test case `"a NUL byte in the request target (Netty PR 
#16971 analogue)"` in `RequestParserSpec` that feeds a NUL byte inside the 
request target and asserts the parser rejects the request with `BadRequest` and 
an `"Illegal request-target"` error summary.
   
   ### Result
   
   The test suite now explicitly covers control-character rejection in the 
request line, guarding against regressions from future parsing refactors that 
might introduce `trim()`-like behavior.
   
   ### Tests
   
   - `sbt "http-core / Test / testOnly *RequestParserCRLFSpec 
*RequestParserLFSpec"` — 106 tests passed, 0 failed
   
   ### References
   
   - Refs #1087
   - Refs https://github.com/netty/netty/pull/16971
   - Refs https://github.com/netty/netty/issues/16970


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to