Skip to content

Gh 511 http header injection fix #512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Apr 30, 2021
Merged

Gh 511 http header injection fix #512

merged 12 commits into from
Apr 30, 2021

Conversation

n0npax
Copy link
Contributor

@n0npax n0npax commented Dec 23, 2020

PoC of solution for issue #511

@google-cla google-cla bot added the cla: yes label Dec 23, 2020
@natebosch
Copy link
Member

cc @lrhn

Should we consider doing this check in an assert?

I don't think I'd frame this as a security issue - it's more of a potential footgun for authors. I don't know how often I'd expect an author to make a mistake with this API, but I'm on board with adding some rails if we think that it's likely. An assert adds some help for authors without any overhead in production.

@n0npax
Copy link
Contributor Author

n0npax commented Dec 23, 2020
edited
Loading

Please have a look at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137 & https://bugs.python.org/issue39603
which is a very similar issue. Base on this I believe it's not just a foot gun, as the same risk exists here.

I'm happy to change contains to assert. I'll update the PR soon. As per: https://dart.dev/guides/language/language-tour#assert I believe using assert is not the right way, as they won't be used all the time. In example, if --enable-asserts is not passed, the assertion may be ignored

@OS-WS
Copy link

OS-WS commented Dec 29, 2020

17bc4bf
Hi, is this commit the fix for CVE-2020-35669?

if not, what is?

@n0npax
Copy link
Contributor Author

n0npax commented Dec 29, 2020

818cff6 is a fix. The remaining commits are just unit tests and some lint fixes.

To fix stuff properly there may be a need to bump the version in https://github.com/dart-lang/http/blob/master/pubspec.yaml#L2 & release, but it's up to maintainers to decide if they prefer 0.13.1 or backport to 0.12.3 🤷🏻‍♂️

@n0npax
Copy link
Contributor Author

n0npax commented Feb 11, 2021

@lrhn can I ask for a review please?

@n0npax
Copy link
Contributor Author

n0npax commented Mar 8, 2021

@kevmoo can I ask for a review please ?

@kevmoo kevmoo requested a review from lrhn March 8, 2021 14:24
@kevmoo
Copy link
Member

kevmoo commented Apr 23, 2021

@lrhn ?

lrhn
lrhn reviewed Apr 26, 2021
View reviewed changes
@lrhn
Copy link
Member

lrhn commented Apr 26, 2021

I'd test this properly, not just in an assert. Any overhead is negligible compared to doing a network request.

I agree that it's probably not a big security issue since you can equally easily do a direct TCP connection and send any request block. If malicious code is running in the same isolate as something else, you should assume that something else to be thoroughly compromised anyway, so unless code is taking the method value as input from a remote source, and not validating it at all (which is already dangerous when one of the values are DELETE), then it's very hard to do something bad with this mis-feature which isn't also possible without it.
It's still an unnecessary risk, someone could be living dangerously and accepting method values from strangers, so we might as well plug it.

@n0npax n0npax marked this pull request as draft April 26, 2021 11:36
@n0npax n0npax marked this pull request as ready for review April 26, 2021 11:53
@n0npax n0npax requested a review from lrhn April 26, 2021 11:54
@lrhn
Copy link
Member

lrhn commented Apr 26, 2021

I don't know if this package uses the dart:io HTTP operations. If it does, we might be able to remove this again when they're fixed. I believe the browser XMLHttpRequest is already validating the method.

@kevmoo
Copy link
Member

kevmoo commented Apr 26, 2021

Should also bump the version and and an entry to the changelog!

@n0npax
Copy link
Contributor Author

n0npax commented Apr 27, 2021

@kevmoo done, hope it's ok 🤞🏻

lrhn
lrhn approved these changes Apr 27, 2021
View reviewed changes
@google-cla
Copy link

google-cla bot commented Apr 29, 2021

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added cla: no and removed cla: yes labels Apr 29, 2021
@natebosch
Copy link
Member

@googlebot I consent.

@google-cla
Copy link

google-cla bot commented Apr 29, 2021

All (the pull request submitter and all commit authors) CLAs are signed, but one or more commits were authored or co-authored by someone other than the pull request submitter.

We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that by leaving a comment that contains only @googlebot I consent. in this pull request.

Note to project maintainer: There may be cases where the author cannot leave a comment, or the comment is not properly detected as consent. In those cases, you can manually confirm consent of the commit author(s), and set the cla label to yes (if enabled on your project).

ℹ️ Googlers: Go here for more info.

@google-cla google-cla bot added cla: yes and removed cla: no labels Apr 29, 2021
@n0npax
Copy link
Contributor Author

n0npax commented Apr 29, 2021

@googlebot I consent.

@natebosch natebosch merged commit abb2bb1 into dart-lang:master Apr 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lrhn lrhn lrhn approved these changes

@natebosch natebosch natebosch approved these changes

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@n0npax @natebosch @OS-WS @kevmoo @lrhn