PR feedback. Use System.Uri to validate absolute-URI. Add more tests for malformed requests

Author: Nate McMaster

src/Microsoft.AspNetCore.Server.Kestrel/Internal/Http/Frame.cs

@@ -1030,42 +1030,27 @@ public RequestLineStatus TakeStartLine(SocketInput input)
                 // begin consuming request-target
                 begin = scan;
 
-                var targetIsAbsolute = false;
-                string requestUriScheme;
-                string requestAuthority = null;
-                if (scan.GetKnownHttpSchema(out requestUriScheme))
-                {
-                    // Start-line can contain uri in absolute form. e.g. 'GET http://contoso.com/favicon.ico HTTP/1.1'
-                    // Clients should only send this to proxies, but the spec requires we handle it anyways.
-                    // cref https://tools.ietf.org/html/rfc7230#section-5.3
-
-                    // This will skip over scheme and authority so they do not end up in .Path,
-                    // but preserving the values for rawTarget. We rely on the Host header and 
-                    // server configuration to determine the effective host, port, and 
-                    // for this request.
-
-                    targetIsAbsolute = true;
-                    scan.Skip(requestUriScheme.Length);
-                    begin = scan;
+                var targetBegin = scan;
 
-                    // an absolute URI is not required to end in a slash but host must not be empty
-                    // see https://tools.ietf.org/html/rfc3986#section-4.3
-                    var chNext = scan.Peek();
-                    if (chNext == ByteForwardSlash || chNext == ByteSpace)
+                if (targetBegin.Peek() != ByteForwardSlash)
+                {
+                    string requestUriScheme;
+                    if (scan.GetKnownHttpSchema(out requestUriScheme))
                     {
-                        RejectRequest(RequestRejectionReason.InvalidRequestLine,
-                           Log.IsEnabled(LogLevel.Information) ? start.GetAsciiStringEscaped(end, MaxInvalidRequestLineChars) : string.Empty);
-                    }
+                        // Start-line can contain uri in absolute form. e.g. 'GET http://contoso.com/favicon.ico HTTP/1.1'
+                        // Clients should only send this to proxies, but the spec requires we handle it anyways.
+                        // cref https://tools.ietf.org/html/rfc7230#section-5.3
+                        
+                        scan.Skip(requestUriScheme.Length);
 
-                    if (scan.Seek(ByteForwardSlash, ByteSpace, ref end) == -1)
-                    {
-                        RejectRequest(RequestRejectionReason.InvalidRequestLine,
-                            Log.IsEnabled(LogLevel.Information) ? start.GetAsciiStringEscaped(end, MaxInvalidRequestLineChars) : string.Empty);
+                        if (scan.Seek(ByteForwardSlash, ByteSpace, ref end) == -1)
+                        {
+                            RejectRequest(RequestRejectionReason.InvalidRequestLine,
+                               Log.IsEnabled(LogLevel.Information) ? start.GetAsciiStringEscaped(end, MaxInvalidRequestLineChars) : string.Empty);
+                        }
+                    
+                        begin = scan;
                     }
-
-                    // TODO consider handling UTF-8 host names
-                    requestAuthority = begin.GetAsciiString(ref scan);
-                    begin = scan;
                 }
 
                 var needDecode = false;
@@ -1089,7 +1074,7 @@ public RequestLineStatus TakeStartLine(SocketInput input)
                 var pathBegin = begin;
                 var pathEnd = scan;
 
-                var queryString = "";
+                var queryString = string.Empty;
                 if (chFound == ByteQuestionMark)
                 {
                     begin = scan;
@@ -1103,7 +1088,7 @@ public RequestLineStatus TakeStartLine(SocketInput input)
 
                 var queryEnd = scan;
 
-                if (pathBegin.Peek() == ByteSpace && !targetIsAbsolute)
+                if (pathBegin.Peek() == ByteSpace && targetBegin.Index == pathBegin.Index)
                 {
                     RejectRequest(RequestRejectionReason.InvalidRequestLine,
                         Log.IsEnabled(LogLevel.Information) ? start.GetAsciiStringEscaped(end, MaxInvalidRequestLineChars) : string.Empty);
@@ -1146,11 +1131,11 @@ public RequestLineStatus TakeStartLine(SocketInput input)
                 // Multibyte Internationalized Resource Identifiers (IRIs) are first converted to utf8;
                 // then encoded/escaped to ASCII  https://www.ietf.org/rfc/rfc3987.txt "Mapping of IRIs to URIs"
                 string requestUrlPath;
-                string rawUrlPath;
+                string rawTarget;
                 if (needDecode)
                 {
                     // Read raw target before mutating memory.
-                    rawUrlPath = pathBegin.GetAsciiString(ref queryEnd);
+                    rawTarget = targetBegin.GetAsciiString(ref queryEnd);
 
                     // URI was encoded, unescape and then parse as utf8
                     pathEnd = UrlPathDecoder.Unescape(pathBegin, pathEnd);
@@ -1161,15 +1146,30 @@ public RequestLineStatus TakeStartLine(SocketInput input)
                     // URI wasn't encoded, parse as ASCII
                     requestUrlPath = pathBegin.GetAsciiString(ref pathEnd);
 
-                    if (queryString.Length == 0)
+                    if (queryString.Length == 0 && targetBegin.Index == pathBegin.Index)
                     {
                         // No need to allocate an extra string if the path didn't need
-                        // decoding and there's no query string following it.
-                        rawUrlPath = requestUrlPath;
+                        // decoding and there's no query string following it, and the
+                        // request-target isn't absolute-form
+                        rawTarget = requestUrlPath;
                     }
                     else
                     {
-                        rawUrlPath = pathBegin.GetAsciiString(ref queryEnd);
+                        rawTarget = targetBegin.GetAsciiString(ref queryEnd);
+                    }
+                }
+
+                if (targetBegin.Index < pathBegin.Index)
+                {
+                    // validation of absolute-form URI may be slow, but clients
+                    // should not be sending this form anyways, so perf optimization 
+                    // not high priority
+
+                    Uri _;
+                    if (!Uri.TryCreate(rawTarget, UriKind.Absolute, out _))
+                    {
+                        RejectRequest(RequestRejectionReason.InvalidRequestLine,
+                        Log.IsEnabled(LogLevel.Information) ? start.GetAsciiStringEscaped(end, MaxInvalidRequestLineChars) : string.Empty);
                     }
                 }
 
@@ -1180,9 +1180,7 @@ public RequestLineStatus TakeStartLine(SocketInput input)
                 consumed = scan;
                 Method = method;
                 QueryString = queryString;
-                RawTarget = targetIsAbsolute
-                    ? requestUriScheme + requestAuthority + rawUrlPath
-                    : rawUrlPath;
+                RawTarget = rawTarget;
                 HttpVersion = httpVersion;
 
                 bool caseMatches;
@@ -1191,7 +1189,7 @@ public RequestLineStatus TakeStartLine(SocketInput input)
                     PathBase = caseMatches ? _pathBase : normalizedUrlPath.Substring(0, _pathBase.Length);
                     Path = normalizedUrlPath.Substring(_pathBase.Length);
                 }
-                else if (rawUrlPath?.Length > 0 && rawUrlPath[0] == '/') // check rawUrlPath since normalizedUrlPath can be "" or "/" after dot segment removal
+                else if (requestUrlPath?.Length > 0 && requestUrlPath[0] == '/') // check requestUrlPath since normalizedUrlPath can be "" or "/" after dot segment removal
                 {
                     Path = normalizedUrlPath;
                 }

test/Microsoft.AspNetCore.Server.Kestrel.FunctionalTests/RequestTests.cs

@@ -427,8 +427,13 @@ public async Task ThrowsOnReadAfterConnectionError()
         [InlineData("https://localhost:22/abs/path", "/abs/path")] // handles mismatched ports
         [InlineData("https://differenthost/abs/path", "/abs/path")] // handles mismatched hostname
         [InlineData("http://localhost/", "/")]
+        [InlineData("http://[email protected]/path", "/path")]
+        [InlineData("http://root:[email protected]/path", "/path")]
         [InlineData("https://localhost/", "/")]
         [InlineData("http://localhost", "")]
+        [InlineData("http://127.0.0.1/", "/")]
+        [InlineData("http://[::1]/", "/")]
+        [InlineData("http://[::1]:8080/", "/")]
         public async Task CanHandleRequestsWithUrlInAbsoluteForm(string requestUrl, string expectedPath)
         {
             var pathTcs = new TaskCompletionSource<PathString>();

test/Microsoft.AspNetCore.Server.KestrelTests/BadHttpRequestTests.cs

@@ -52,12 +52,26 @@ public class BadHttpRequestTests
         [InlineData("} / HTTP/1.0\r\n")]
         [InlineData("get@ / HTTP/1.0\r\n")]
         [InlineData("post= / HTTP/1.0\r\n")]
-        // malformed request target
+        [InlineData("GET otherscheme://host/ HTTP/1.1\r\n")]
+        [InlineData("GET ws://host/ HTTP/1.1\r\n")]
+        [InlineData("GET wss://host/ HTTP/1.1\r\n")]
+        [InlineData("GET http HTTP/1.1\r\n")]
+        [InlineData("GET http: HTTP/1.1\r\n")]
+        [InlineData("GET http:/ HTTP/1.1\r\n")]
         [InlineData("GET http:// HTTP/1.1\r\n")]
+        [InlineData("GET https HTTP/1.1\r\n")]
+        [InlineData("GET https: HTTP/1.1\r\n")]
+        [InlineData("GET https:/ HTTP/1.1\r\n")]
         [InlineData("GET https:// HTTP/1.1\r\n")]
         [InlineData("GET http:/// HTTP/1.1\r\n")]
         [InlineData("GET http://// HTTP/1.1\r\n")]
-        //[InlineData("GET http://:80/abc HTTP/1.1")]
+        [InlineData("GET http://:80 HTTP/1.1")]
+        [InlineData("GET http://:80/abc HTTP/1.1")]
+        [InlineData("GET http://user@ HTTP/1.1")]
+        [InlineData("GET http://user@/abc HTTP/1.1")]
+        [InlineData("GET http://abc%20xyz/abc HTTP/1.1")]
+        [InlineData("GET http://%20/abc?query=%0A HTTP/1.1")]
+        [InlineData("GET www.contoso.com HTTP/1.1")]
         public async Task TestInvalidRequestLines(string request)
         {
             using (var server = new TestServer(context => TaskCache.CompletedTask))
@@ -88,6 +102,11 @@ public async Task TestInvalidRequestLines(string request)
         [InlineData("GET / HTTP/1.\r\n")]
         [InlineData("GET / hello\r\n")]
         [InlineData("GET / 8charact\r\n")]
+        [InlineData("GET /  HTTP/1.1\r\n")]
+        [InlineData("GET / / HTTP/1.1\r\n")]
+        [InlineData("GET http://  HTTP/1.1\r\n")]
+        [InlineData("GET https://  HTTP/1.1\r\n")]
+        [InlineData("GET https:// / HTTP/1.1\r\n")]
         public async Task TestInvalidRequestLinesWithUnsupportedVersion(string request)
         {
             using (var server = new TestServer(context => TaskCache.CompletedTask))

test/Microsoft.AspNetCore.Server.KestrelTests/FrameTests.cs

@@ -460,6 +460,35 @@ public void TakeStartLineCallsConsumingCompleteWithFurthestExamined()
             Assert.False(_socketInput.IsCompleted);
         }
 
+        [Theory]
+        [InlineData("http://host/abs/path", "/abs/path")]
+        [InlineData("https://host/abs/path", "/abs/path")]
+        [InlineData("https://host:22/abs/path", "/abs/path")]
+        [InlineData("https://user@host:9080/abs/path", "/abs/path")]
+        [InlineData("http://host/", "/")]
+        [InlineData("https://host/", "/")]
+        [InlineData("http://host", "")]
+        [InlineData("http://user@host/", "/")]
+        [InlineData("http://127.0.0.1/", "/")]
+        [InlineData("http://[email protected]/", "/")]
+        [InlineData("http://[email protected]:8080/", "/")]
+        [InlineData("http://127.0.0.1:8080/", "/")]
+        [InlineData("http://[::1]", "")]
+        [InlineData("http://[::1]/path", "/path")]
+        [InlineData("http://[::1]:8080/", "/")]
+        [InlineData("http://user@[::1]:8080/", "/")]
+        public void TakeStartLineHandlesRequestTarget(string rawTarget, string expectedPath)
+        {
+            var firstLine = Encoding.ASCII.GetBytes($"GET {rawTarget} HTTP/1.1\r\n");
+            _socketInput.IncomingData(firstLine, 0, firstLine.Length);
+
+            var status = _frame.TakeStartLine(_socketInput);
+
+            Assert.Equal(Frame.RequestLineStatus.Done, status);
+            Assert.Equal(expectedPath, _frame.Path);
+            Assert.Equal(rawTarget, _frame.RawTarget);
+        }
+
         [Theory]
         [InlineData("", Frame.RequestLineStatus.Empty)]
         [InlineData("G", Frame.RequestLineStatus.Incomplete)]

test/Microsoft.AspNetCore.Server.KestrelTests/MemoryPoolIteratorTests.cs

@@ -612,7 +612,7 @@ public void GetsKnownMethod(string input, bool expectedResult, string expectedKn
         [InlineData("HtTp:// ", false, null)]
         [InlineData("https://", true, MemoryPoolIteratorExtensions.HttpsScheme)]
         [InlineData("https://abc", true, MemoryPoolIteratorExtensions.HttpsScheme)]
-        public void GetKnownHttpSchema(string input, bool expectedResult, string expectedString)
+        public void GetsKnownHttpSchema(string input, bool expectedResult, string expectedString)
         {
             // Test within one block
             var block = _pool.Lease();