parse http requests with invalid header

BonnyAD9 · BonnyAD9 · commit e561fa7b65f5 · 2023-03-27T16:56:27.000+02:00
diff --git a/process/http.cpp b/process/http.cpp
@@ -180,7 +180,7 @@ void copy_str(char *dst, ssize_t size, const char *begin, const char *end)
    }
 
    memcpy(dst, begin, len);
-   
+
    if (len >= 1 && dst[len - 1] == '\n') {
       len--;
    }
@@ -201,7 +201,11 @@ bool HTTPPlugin::is_request(const char *data, int payload_len)
    }
    memcpy(chars, data, 4);
    chars[4] = 0;
-   return valid_http_method(chars);
+
+   // 'valid_http_method' can quicky confirm valid http methods.
+   // 'invalid_http_method' is slower but can check if it is http request even
+   // if the method is invalid.
+   return valid_http_method(chars) || invalid_http_method(data, payload_len);
 }
 
 bool HTTPPlugin::is_response(const char *data, int payload_len)
@@ -521,6 +525,42 @@ bool HTTPPlugin::valid_http_method(const char *method) const
            !strcmp(method, "PATC"));
 }
 
+/**
+ * @brief Check if the payload is http request even with invalid method.
+ *
+ * @param [in] payload Packet payload data.
+ * @param payload_len Length packet payload.
+ * @return True if the packet is http request.
+ */
+bool HTTPPlugin::invalid_http_method(const char *data, int payload_len) const
+{
+   // METHOD URI HTTP/VERSION
+   // |     |   |
+   // |     |   +---- uri_end
+   // |     +---- method_end
+   // +---- data
+
+   // check if there is space in the first HTTP_MAX_METHOD_LENGTH chars
+   int len = std::min(payload_len, HTTP_MAX_METHOD_LENGTH);
+   auto method_end = static_cast<const char *>(memchr(data, ' ', len));
+   if (method_end == nullptr)
+      return false;
+
+   payload_len -= method_end - data - 1;
+   if (payload_len <= 0)
+      return false;
+
+   auto uri_end = static_cast<const char *>(memchr(method_end + 1, ' ', payload_len));
+   if (method_end == nullptr)
+      return false;
+
+   payload_len -= uri_end - method_end;
+   if (payload_len <= 4)
+      return false;
+
+   return memcmp(uri_end + 1, "HTTP", 4) == 0;
+}
+
 /**
  * \brief Add new extension http request header into flow record.
  * \param [in] data Packet payload data.
diff --git a/process/http.hpp b/process/http.hpp
@@ -65,6 +65,9 @@ namespace ipxp {
 
 #define HTTP_UNIREC_TEMPLATE  "HTTP_REQUEST_METHOD,HTTP_REQUEST_HOST,HTTP_REQUEST_URL,HTTP_REQUEST_AGENT,HTTP_REQUEST_REFERER,HTTP_RESPONSE_STATUS_CODE,HTTP_RESPONSE_CONTENT_TYPE"
 
+// maximum supported length for http method (includes the null terminating char)
+#define HTTP_MAX_METHOD_LENGTH 16
+
 UR_FIELDS (
    string HTTP_REQUEST_METHOD,
    string HTTP_REQUEST_HOST,
@@ -87,7 +90,7 @@ struct RecordExtHTTP : public RecordExt {
    bool req;
    bool resp;
 
-   char method[10];
+   char method[HTTP_MAX_METHOD_LENGTH];
    char host[64];
    char uri[128];
    char user_agent[128];
@@ -228,6 +231,7 @@ class HTTPPlugin : public ProcessPlugin
    void add_ext_http_request(const char *data, int payload_len, Flow &flow);
    void add_ext_http_response(const char *data, int payload_len, Flow &flow);
    bool valid_http_method(const char *method) const;
+   bool invalid_http_method(const char *payload, int payload_len) const;
 
    RecordExtHTTP *recPrealloc;/**< Preallocated extension. */
    bool flow_flush;           /**< Tell storage plugin to flush current Flow. */
