Skip to content

Verify header field names #191

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 1, 2020
Merged

Verify header field names #191

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6145d2a
HTTPRequest without body: Content-Length shall not be send
fabianfett Mar 31, 2020
4e12944
Verify field names comply with RFC7230
fabianfett Mar 31, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions Sources/AsyncHTTPClient/HTTPClient.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -754,6 +754,8 @@ public struct HTTPClientError: Error, Equatable, CustomStringConvertible {
case redirectLimitReached
case redirectCycleDetected
case uncleanShutdown
case traceRequestWithBody
case invalidHeaderFieldNames([String])
}

private var code: Code
Expand Down Expand Up @@ -798,4 +800,8 @@ public struct HTTPClientError: Error, Equatable, CustomStringConvertible {
public static let redirectCycleDetected = HTTPClientError(code: .redirectCycleDetected)
/// Unclean shutdown
public static let uncleanShutdown = HTTPClientError(code: .uncleanShutdown)
/// A body was sent in a request with method TRACE
public static let traceRequestWithBody = HTTPClientError(code: .traceRequestWithBody)
/// Header field names contain invalid characters
public static func invalidHeaderFieldNames(_ names: [String]) -> HTTPClientError { return HTTPClientError(code: .invalidHeaderFieldNames(names)) }
}
2 changes: 1 addition & 1 deletion Sources/AsyncHTTPClient/HTTPHandler.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -771,7 +771,7 @@ extension TaskHandler: ChannelDuplexHandler {
}

do {
try headers.validate(body: request.body)
try headers.validate(method: request.method, body: request.body)
} catch {
promise?.fail(error)
context.fireErrorCaught(error)
Expand Down
96 changes: 78 additions & 18 deletions Sources/AsyncHTTPClient/RequestValidation.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
//
// This source file is part of the AsyncHTTPClient open source project
//
// Copyright (c) 2018-2019 Apple Inc. and the AsyncHTTPClient project authors
// Copyright (c) 2018-2020 Apple Inc. and the AsyncHTTPClient project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
Expand All @@ -16,7 +16,7 @@ import NIO
import NIOHTTP1

extension HTTPHeaders {
mutating func validate(body: HTTPClient.Body?) throws {
mutating func validate(method: HTTPMethod, body: HTTPClient.Body?) throws {
// validate transfer encoding and content length (https://tools.ietf.org/html/rfc7230#section-3.3.1)
var transferEncoding: String?
var contentLength: Int?
Expand All @@ -29,34 +29,94 @@ extension HTTPHeaders {
self.remove(name: "Transfer-Encoding")
self.remove(name: "Content-Length")

if let body = body {
guard (encodings.filter { $0 == "chunked" }.count <= 1) else {
throw HTTPClientError.chunkedSpecifiedMultipleTimes
try self.validateFieldNames()

guard let body = body else {
// if we don't have a body we might not need to send the Content-Length field
// https://tools.ietf.org/html/rfc7230#section-3.3.2
switch method {
case .GET, .HEAD, .DELETE, .CONNECT, .TRACE:
// A user agent SHOULD NOT send a Content-Length header field when the request
// message does not contain a payload body and the method semantics do not
// anticipate such a body.
return
default:
// A user agent SHOULD send a Content-Length in a request message when
// no Transfer-Encoding is sent and the request method defines a meaning
// for an enclosed payload body.
self.add(name: "Content-Length", value: "0")
return
}
}

if case .TRACE = method {
// A client MUST NOT send a message body in a TRACE request.
// https://tools.ietf.org/html/rfc7230#section-4.3.8
throw HTTPClientError.traceRequestWithBody
}

guard (encodings.filter { $0 == "chunked" }.count <= 1) else {
throw HTTPClientError.chunkedSpecifiedMultipleTimes
}

if encodings.isEmpty {
if encodings.isEmpty {
guard let length = body.length else {
throw HTTPClientError.contentLengthMissing
}
contentLength = length
} else {
transferEncoding = encodings.joined(separator: ", ")
if !encodings.contains("chunked") {
guard let length = body.length else {
throw HTTPClientError.contentLengthMissing
}
contentLength = length
} else {
transferEncoding = encodings.joined(separator: ", ")
if !encodings.contains("chunked") {
guard let length = body.length else {
throw HTTPClientError.contentLengthMissing
}
contentLength = length
}
}
} else {
contentLength = 0
}

// add headers if required
if let enc = transferEncoding {
self.add(name: "Transfer-Encoding", value: enc)
}
if let length = contentLength {
} else if let length = contentLength {
// A sender MUST NOT send a Content-Length header field in any message
// that contains a Transfer-Encoding header field.
self.add(name: "Content-Length", value: String(length))
}
}

func validateFieldNames() throws {
let invalidFieldNames = self.compactMap { (name, _) -> String? in
let satisfy = name.utf8.allSatisfy { (char) -> Bool in
switch char {
case UInt8(ascii: "a")...UInt8(ascii: "z"),
UInt8(ascii: "A")...UInt8(ascii: "Z"),
UInt8(ascii: "0")...UInt8(ascii: "9"),
UInt8(ascii: "!"),
UInt8(ascii: "#"),
UInt8(ascii: "$"),
UInt8(ascii: "%"),
UInt8(ascii: "&"),
UInt8(ascii: "'"),
UInt8(ascii: "*"),
UInt8(ascii: "+"),
UInt8(ascii: "-"),
UInt8(ascii: "."),
UInt8(ascii: "^"),
UInt8(ascii: "_"),
UInt8(ascii: "`"),
UInt8(ascii: "|"),
UInt8(ascii: "~"):
return true
default:
return false
}
}

return satisfy ? nil : name
}

guard invalidFieldNames.count == 0 else {
throw HTTPClientError.invalidHeaderFieldNames(invalidFieldNames)
}
}
}
18 changes: 6 additions & 12 deletions Tests/AsyncHTTPClientTests/HTTPClientTests.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -830,8 +830,7 @@ class HTTPClientTests: XCTestCase {
XCTAssertNoThrow(XCTAssertEqual(.head(.init(version: .init(major: 1, minor: 1),
method: .GET,
uri: "/foo",
headers: HTTPHeaders([("Host", "localhost"),
("Content-Length", "0")]))),
headers: HTTPHeaders([("Host", "localhost")]))),
try web.readInbound()))
XCTAssertNoThrow(XCTAssertEqual(.end(nil),
try web.readInbound()))
Expand Down Expand Up @@ -860,8 +859,7 @@ class HTTPClientTests: XCTestCase {
XCTAssertNoThrow(XCTAssertEqual(.head(.init(version: .init(major: 1, minor: 1),
method: .GET,
uri: "/foo",
headers: HTTPHeaders([("Host", "localhost"),
("Content-Length", "0")]))),
headers: HTTPHeaders([("Host", "localhost")]))),
try web.readInbound()))
XCTAssertNoThrow(XCTAssertEqual(.end(nil),
try web.readInbound()))
Expand All @@ -887,8 +885,7 @@ class HTTPClientTests: XCTestCase {
XCTAssertNoThrow(XCTAssertEqual(.head(.init(version: .init(major: 1, minor: 1),
method: .GET,
uri: "/foo",
headers: HTTPHeaders([("Host", "localhost"),
("Content-Length", "0")]))),
headers: HTTPHeaders([("Host", "localhost")]))),
try web.readInbound()))
XCTAssertNoThrow(XCTAssertEqual(.end(nil),
try web.readInbound()))
Expand Down Expand Up @@ -916,8 +913,7 @@ class HTTPClientTests: XCTestCase {
XCTAssertNoThrow(XCTAssertEqual(.head(.init(version: .init(major: 1, minor: 1),
method: .GET,
uri: "/foo",
headers: HTTPHeaders([("Host", "localhost"),
("Content-Length", "0")]))),
headers: HTTPHeaders([("Host", "localhost")]))),
try web.readInbound()))
XCTAssertNoThrow(XCTAssertEqual(.end(nil),
try web.readInbound()))
Expand Down Expand Up @@ -950,8 +946,7 @@ class HTTPClientTests: XCTestCase {
XCTAssertNoThrow(XCTAssertEqual(.head(.init(version: .init(major: 1, minor: 1),
method: .GET,
uri: "/foo",
headers: HTTPHeaders([("Host", "localhost"),
("Content-Length", "0")]))),
headers: HTTPHeaders([("Host", "localhost")]))),
try web.readInbound()))
XCTAssertNoThrow(XCTAssertEqual(.end(nil),
try web.readInbound()))
Expand Down Expand Up @@ -1166,8 +1161,7 @@ class HTTPClientTests: XCTestCase {
XCTAssertNoThrow(XCTAssertEqual(.head(.init(version: .init(major: 1, minor: 1),
method: .GET,
uri: "/foo",
headers: HTTPHeaders([("Host", "localhost"),
("Content-Length", "0")]))),
headers: HTTPHeaders([("Host", "localhost")]))),
try web.readInbound()))
XCTAssertNoThrow(XCTAssertEqual(.end(nil),
try web.readInbound()))
Expand Down
38 changes: 38 additions & 0 deletions Tests/AsyncHTTPClientTests/RequestValidationTests+XCTest.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
//===----------------------------------------------------------------------===//
//
// This source file is part of the AsyncHTTPClient open source project
//
// Copyright (c) 2018-2019 Apple Inc. and the AsyncHTTPClient project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//
//
// RequestValidationTests+XCTest.swift
//
import XCTest

///
/// NOTE: This file was generated by generate_linux_tests.rb
///
/// Do NOT edit this file directly as it will be regenerated automatically when needed.
///

extension RequestValidationTests {
static var allTests: [(String, (RequestValidationTests) -> () throws -> Void)] {
return [
("testContentLengthHeaderIsRemovedFromGETIfNoBody", testContentLengthHeaderIsRemovedFromGETIfNoBody),
("testContentLengthHeaderIsAddedToPOSTAndPUTWithNoBody", testContentLengthHeaderIsAddedToPOSTAndPUTWithNoBody),
("testContentLengthHeaderIsChangedIfBodyHasDifferentLength", testContentLengthHeaderIsChangedIfBodyHasDifferentLength),
("testChunkedEncodingDoesNotHaveContentLengthHeader", testChunkedEncodingDoesNotHaveContentLengthHeader),
("testTRACERequestMustNotHaveBody", testTRACERequestMustNotHaveBody),
("testGET_HEAD_DELETE_CONNECTRequestCanHaveBody", testGET_HEAD_DELETE_CONNECTRequestCanHaveBody),
("testInvalidHeaderFieldNames", testInvalidHeaderFieldNames),
("testValidHeaderFieldNames", testValidHeaderFieldNames),
]
}
}
107 changes: 107 additions & 0 deletions Tests/AsyncHTTPClientTests/RequestValidationTests.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
//===----------------------------------------------------------------------===//
//
// This source file is part of the AsyncHTTPClient open source project
//
// Copyright (c) 2020 Apple Inc. and the AsyncHTTPClient project authors
// Licensed under Apache License v2.0
//
// See LICENSE.txt for license information
// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
//
// SPDX-License-Identifier: Apache-2.0
//
//===----------------------------------------------------------------------===//

@testable import AsyncHTTPClient
import NIO
import NIOHTTP1
import XCTest

class RequestValidationTests: XCTestCase {
func testContentLengthHeaderIsRemovedFromGETIfNoBody() {
var headers = HTTPHeaders([("Content-Length", "0")])
XCTAssertNoThrow(try headers.validate(method: .GET, body: .none))
XCTAssertNil(headers.first(name: "Content-Length"))
}

func testContentLengthHeaderIsAddedToPOSTAndPUTWithNoBody() {
var putHeaders = HTTPHeaders()
XCTAssertNoThrow(try putHeaders.validate(method: .PUT, body: .none))
XCTAssertEqual(putHeaders.first(name: "Content-Length"), "0")

var postHeaders = HTTPHeaders()
XCTAssertNoThrow(try postHeaders.validate(method: .POST, body: .none))
XCTAssertEqual(postHeaders.first(name: "Content-Length"), "0")
}

func testContentLengthHeaderIsChangedIfBodyHasDifferentLength() {
var headers = HTTPHeaders([("Content-Length", "0")])
var buffer = ByteBufferAllocator().buffer(capacity: 200)
buffer.writeBytes([UInt8](repeating: 12, count: 200))
XCTAssertNoThrow(try headers.validate(method: .PUT, body: .byteBuffer(buffer)))
XCTAssertEqual(headers.first(name: "Content-Length"), "200")
}

func testChunkedEncodingDoesNotHaveContentLengthHeader() {
var headers = HTTPHeaders([
("Content-Length", "200"),
("Transfer-Encoding", "chunked"),
])
var buffer = ByteBufferAllocator().buffer(capacity: 200)
buffer.writeBytes([UInt8](repeating: 12, count: 200))
XCTAssertNoThrow(try headers.validate(method: .PUT, body: .byteBuffer(buffer)))

// https://tools.ietf.org/html/rfc7230#section-3.3.2
// A sender MUST NOT send a Content-Length header field in any message
// that contains a Transfer-Encoding header field.

XCTAssertNil(headers.first(name: "Content-Length"))
XCTAssertEqual(headers.first(name: "Transfer-Encoding"), "chunked")
}

func testTRACERequestMustNotHaveBody() {
var headers = HTTPHeaders([
("Content-Length", "200"),
("Transfer-Encoding", "chunked"),
])
var buffer = ByteBufferAllocator().buffer(capacity: 200)
buffer.writeBytes([UInt8](repeating: 12, count: 200))
XCTAssertThrowsError(try headers.validate(method: .TRACE, body: .byteBuffer(buffer))) {
XCTAssertEqual($0 as? HTTPClientError, .traceRequestWithBody)
}
}

func testGET_HEAD_DELETE_CONNECTRequestCanHaveBody() {
var buffer = ByteBufferAllocator().buffer(capacity: 100)
buffer.writeBytes([UInt8](repeating: 12, count: 100))

// GET, HEAD, DELETE and CONNECT requests can have a payload. (though uncommon)
let allowedMethods: [HTTPMethod] = [.GET, .HEAD, .DELETE, .CONNECT]
var headers = HTTPHeaders()
for method in allowedMethods {
XCTAssertNoThrow(try headers.validate(method: method, body: .byteBuffer(buffer)))
}
}

func testInvalidHeaderFieldNames() {
var headers = HTTPHeaders([
("Content-Length", "200"),
("User Agent", "Haha"),
])

XCTAssertThrowsError(try headers.validate(method: .GET, body: nil)) { error in
XCTAssertEqual(error as? HTTPClientError, HTTPClientError.invalidHeaderFieldNames(["User Agent"]))
}
}

func testValidHeaderFieldNames() {
var headers = HTTPHeaders([
("abcdefghijklmnopqrstuvwxyz", "Haha"),
("ABCDEFGHIJKLMNOPQRSTUVWXYZ", "Haha"),
("0123456789", "Haha"),
("!#$%&'*+-.^_`|~", "Haha"),
])

XCTAssertNoThrow(try headers.validate(method: .GET, body: nil))
}
}
1 change: 1 addition & 0 deletions Tests/LinuxMain.swift
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,6 @@ import XCTest
testCase(HTTPClientCookieTests.allTests),
testCase(HTTPClientInternalTests.allTests),
testCase(HTTPClientTests.allTests),
testCase(RequestValidationTests.allTests),
])
#endif