Merge pull request from GHSA-84j7-475p-hp8v

header value could inject a CR or LF and inject their own HTTP response.
2022-11-09 13:48:40 -05:00 · 2020-02-27 11:52:27 -06:00 · 2020-02-27 11:52:27 -06:00 · 694feafcd4
commit 694feafcd4
parent 2986bc4ab5
9 changed files with 73 additions and 1 deletions
--- a/benchmarks/wrk/hello.sh
+++ b/benchmarks/wrk/hello.sh
@ -3,6 +3,6 @@
 bundle exec bin/puma -t 4 test/rackup/hello.ru &
 PID1=$!
 sleep 5
-wrk -c 4 --latency http://localhost:9292
+wrk -c 4 -d 30 --latency http://localhost:9292

 kill $PID1
--- a/benchmarks/wrk/many_long_headers.sh
+++ b/benchmarks/wrk/many_long_headers.sh
@ -0,0 +1,6 @@
+bundle exec bin/puma -t 4 test/rackup/many_long_headers.ru &
+PID1=$!
+sleep 5
+wrk -c 4 -d 30 --latency http://localhost:9292
+
+kill $PID1
--- a/benchmarks/wrk/realistic_response.sh
+++ b/benchmarks/wrk/realistic_response.sh
@ -0,0 +1,6 @@
+bundle exec bin/puma -t 4 test/rackup/realistic_response.ru &
+PID1=$!
+sleep 5
+wrk -c 4 -d 30 --latency http://localhost:9292
+
+kill $PID1
--- a/lib/puma/const.rb
+++ b/lib/puma/const.rb
@ -228,6 +228,7 @@ module Puma
    COLON = ": ".freeze

    NEWLINE = "\n".freeze
+    CRLF_REGEX = /[\r\n]/.freeze

    HIJACK_P = "rack.hijack?".freeze
    HIJACK = "rack.hijack".freeze
--- a/lib/puma/server.rb
+++ b/lib/puma/server.rb
@ -681,6 +681,8 @@ module Puma
          status, headers, res_body = @app.call(env)

          return :async if req.hijacked
+          # Checking to see if an attacker is trying to inject headers into the response
+          headers.reject! { |_k, v| CRLF_REGEX =~ v.to_s }

          status = status.to_i

--- a/test/bundle_preservation_test/Gemfile.bundle_env_preservation_test.lock
+++ b/test/bundle_preservation_test/Gemfile.bundle_env_preservation_test.lock
@ -0,0 +1,18 @@
+PATH
+  remote: ../..
+  specs:
+    puma (4.3.1)
+      nio4r (~> 2.0)
+
+GEM
+  specs:
+    nio4r (2.5.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  puma!
+
+BUNDLED WITH
+   1.17.3
--- a/test/rackup/many_long_headers.ru
+++ b/test/rackup/many_long_headers.ru
@ -0,0 +1,9 @@
+require 'securerandom'
+
+long_header_hash = {}
+
+30.times do |i|
+  long_header_hash["X-My-Header-#{i}"] = SecureRandom.hex(1000)
+end
+
+run lambda { |env| [200, long_header_hash, ["Hello World"]] }
--- a/test/rackup/realistic_response.ru
+++ b/test/rackup/realistic_response.ru
@ -0,0 +1,11 @@
+require 'securerandom'
+
+long_header_hash = {}
+
+25.times do |i|
+  long_header_hash["X-My-Header-#{i}"] = SecureRandom.hex(25)
+end
+
+response = SecureRandom.hex(100_000) # A 100kb document
+
+run lambda { |env| [200, long_header_hash.dup, [response.dup]] }
--- a/test/test_puma_server.rb
+++ b/test/test_puma_server.rb
@ -749,4 +749,23 @@ EOF
    # it is set to a reasonable number.
    assert_operator request_body_wait, :>=, 900
  end
+
+  # https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16
+  def test_prevent_response_splitting_headers
+    server_run app: ->(_) { [200, {'X-header' => "malicious\r\nCookie: hack"}, ["Hello"]] }
+    data = send_http_and_read "HEAD / HTTP/1.0\r\n\r\n"
+    refute_match 'hack', data
+  end
+
+  def test_prevent_response_splitting_headers_cr
+    server_run app: ->(_) { [200, {'X-header' => "malicious\rCookie: hack"}, ["Hello"]] }
+    data = send_http_and_read "HEAD / HTTP/1.0\r\n\r\n"
+    refute_match 'hack', data
+  end
+
+  def test_prevent_response_splitting_headers_lf
+    server_run app: ->(_) { [200, {'X-header' => "malicious\nCookie: hack"}, ["Hello"]] }
+    data = send_http_and_read "HEAD / HTTP/1.0\r\n\r\n"
+    refute_match 'hack', data
+  end
 end