Prevent chunk extension request smuggling

Improve fuzzers to make sure our handling of http requests and responses
is the same as net/http.

Author: erikdubbelboer

fuzz_test.go

@@ -6,6 +6,8 @@ import (
 	"encoding/base64"
 	"encoding/binary"
 	"fmt"
+	"io"
+	"net/http"
 	"net/textproto"
 	"net/url"
 	"reflect"
@@ -67,10 +69,22 @@ func FuzzResponseReadLimitBody(f *testing.F) {
 			return
 		}
 
-		res := AcquireResponse()
-		defer ReleaseResponse(res)
+		t.Logf("%q %d", body, maxBodySize)
 
-		_ = res.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
+		var res Response
+		fastErr := res.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
+		fastBody := res.Body()
+
+		netBody, netErr := readResponseBodyNetHTTPLimit(body, maxBodySize)
+		if fastErr != nil {
+			return
+		}
+		if netErr != nil {
+			t.Fatalf("fasthttp:\n%s; net/http err=%v", res.String(), netErr)
+		}
+		if !bytes.Equal(fastBody, netBody) {
+			t.Fatalf("body mismatch: fasthttp=%q net/http=%q", fastBody, netBody)
+		}
 	})
 }
 
@@ -86,13 +100,66 @@ func FuzzRequestReadLimitBody(f *testing.F) {
 			return
 		}
 
-		req := AcquireRequest()
-		defer ReleaseRequest(req)
+		t.Logf("%q %d", body, maxBodySize)
+
+		var req Request
+		fastErr := req.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
+		fastBody := req.Body()
 
-		_ = req.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
+		netBody, netErr := readRequestBodyNetHTTPLimit(body, maxBodySize)
+		if fastErr != nil {
+			return
+		}
+		if netErr != nil {
+			if strings.Contains(netErr.Error(), "invalid URI for request") {
+				return
+			}
+			t.Fatalf("fasthttp:\n%s; net/http err=%v", req.String(), netErr)
+		}
+		if !bytes.Equal(fastBody, netBody) {
+			t.Fatalf("body mismatch: fasthttp=%q net/http=%q", fastBody, netBody)
+		}
 	})
 }
 
+func readResponseBodyNetHTTPLimit(raw []byte, maxBodySize int) ([]byte, error) {
+	br := bufio.NewReader(bytes.NewReader(raw))
+	resp, err := http.ReadResponse(br, nil)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	return readBodyWithLimit(resp.Body, maxBodySize)
+}
+
+func readRequestBodyNetHTTPLimit(raw []byte, maxBodySize int) ([]byte, error) {
+	br := bufio.NewReader(bytes.NewReader(raw))
+	req, err := http.ReadRequest(br)
+	if err != nil {
+		return nil, err
+	}
+	defer req.Body.Close()
+
+	return readBodyWithLimit(req.Body, maxBodySize)
+}
+
+func readBodyWithLimit(r io.Reader, maxBodySize int) ([]byte, error) {
+	if maxBodySize <= 0 {
+		return io.ReadAll(r)
+	}
+
+	limit := int64(maxBodySize) + 1
+	body, err := io.ReadAll(io.LimitReader(r, limit))
+	if err != nil {
+		return nil, err
+	}
+	if len(body) > maxBodySize {
+		return nil, ErrBodyTooLarge
+	}
+	return body, nil
+}
+
 func FuzzURIUpdateBytes(f *testing.F) {
 	f.Add([]byte(`http://foobar.com/aaa/bb?cc`))
 	f.Add([]byte(`//foobar.com/aaa/bb?cc`))

header.go

@@ -2790,7 +2790,22 @@ func (h *ResponseHeader) parseFirstLine(buf []byte) (int, error) {
 		}
 		return 0, fmt.Errorf("cannot find whitespace in the first line of response %q", buf)
 	}
-	h.noHTTP11 = !bytes.Equal(b[:n], strHTTP11)
+	if n == 0 {
+		if h.secureErrorLogMessage {
+			return 0, fmt.Errorf("unsupported HTTP version %q", b[:n])
+		}
+		return 0, fmt.Errorf("unsupported HTTP version %q in %q", b[:n], buf)
+	}
+	protoStr := b[:n]
+	if len(protoStr) != len(strHTTP11) || !bytes.HasPrefix(protoStr, strHTTP11[:5]) || protoStr[6] != '.' ||
+		protoStr[5] < '0' || protoStr[5] > '9' || protoStr[7] < '0' || protoStr[7] > '9' {
+		if h.secureErrorLogMessage {
+			return 0, fmt.Errorf("unsupported HTTP version %q", protoStr)
+		}
+		return 0, fmt.Errorf("unsupported HTTP version %q in %q", protoStr, buf)
+	}
+	h.noHTTP11 = !bytes.Equal(protoStr, strHTTP11)
+	h.protocol = append(h.protocol[:0], protoStr...)
 	b = b[n+1:]
 
 	// parse status code
@@ -2801,6 +2816,12 @@ func (h *ResponseHeader) parseFirstLine(buf []byte) (int, error) {
 		}
 		return 0, fmt.Errorf("cannot parse response status code: %w. Response %q", err, buf)
 	}
+	if n != 3 {
+		if h.secureErrorLogMessage {
+			return 0, ErrUnexpectedStatusCodeChar
+		}
+		return 0, fmt.Errorf("invalid response status code %q. Response %q", b[:n], buf)
+	}
 	if len(b) > n && b[n] != ' ' {
 		if h.secureErrorLogMessage {
 			return 0, ErrUnexpectedStatusCodeChar
@@ -2894,7 +2915,7 @@ func (h *RequestHeader) parseFirstLine(buf []byte) (int, error) {
 		}
 		return 0, fmt.Errorf("unsupported HTTP version %q in %q", protoStr, buf)
 	}
-	if protoStr[5] < '0' || protoStr[5] > '9' || protoStr[7] < '0' || protoStr[7] > '9' {
+	if protoStr[6] != '.' || protoStr[5] < '0' || protoStr[5] > '9' || protoStr[7] < '0' || protoStr[7] > '9' {
 		if h.secureErrorLogMessage {
 			return 0, fmt.Errorf("unsupported HTTP version %q", protoStr)
 		}

header_test.go

@@ -1115,6 +1115,11 @@ func TestResponseHeaderOldVersion(t *testing.T) {
 		t.Fatalf("expecting 'Connection: close' for the response with old http protocol")
 	}
 
+	// Discard the body of the first response.
+	if n, err := br.Discard(h.ContentLength()); err != nil || n != h.ContentLength() {
+		t.Fatalf("unexpected discard: n=%d, want=%d, err=%v", n, h.ContentLength(), err)
+	}
+
 	if err := h.Read(br); err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
@@ -1452,7 +1457,6 @@ func TestResponseHeaderHTTPVer(t *testing.T) {
 	// non-http/1.1
 	testResponseHeaderHTTPVer(t, "HTTP/1.0 200 OK\r\nContent-Type: aaa\r\nContent-Length: 123\r\n\r\n", true)
 	testResponseHeaderHTTPVer(t, "HTTP/0.9 200 OK\r\nContent-Type: aaa\r\nContent-Length: 123\r\n\r\n", true)
-	testResponseHeaderHTTPVer(t, "foobar 200 OK\r\nContent-Type: aaa\r\nContent-Length: 123\r\n\r\n", true)
 
 	// http/1.1
 	testResponseHeaderHTTPVer(t, "HTTP/1.1 200 OK\r\nContent-Type: aaa\r\nContent-Length: 123\r\n\r\n", false)

http.go

@@ -1238,6 +1238,11 @@ func (req *Request) ReadLimitBody(r *bufio.Reader, maxBodySize int) error {
 		return err
 	}
 
+	// Host header is mandatory in HTTP/1.1 requests.
+	if req.Header.IsHTTP11() && len(req.Header.Host()) == 0 {
+		return errRequestHostRequired
+	}
+
 	return req.readLimitBody(r, maxBodySize, false, true)
 }
 
@@ -1339,7 +1344,10 @@ func (req *Request) ContinueReadBody(r *bufio.Reader, maxBodySize int, preParseM
 
 	if contentLength == -1 {
 		err = req.Header.ReadTrailer(r)
-		if err != nil && err != io.EOF {
+		if err != nil {
+			if err == io.EOF {
+				return ErrBrokenChunk{error: io.ErrUnexpectedEOF}
+			}
 			return err
 		}
 	}
@@ -1477,7 +1485,10 @@ func (resp *Response) ReadLimitBody(r *bufio.Reader, maxBodySize int) error {
 	// A response without a body can't have trailers.
 	if resp.Header.ContentLength() == -1 && !resp.StreamBody && !resp.mustSkipBody() {
 		err = resp.Header.ReadTrailer(r)
-		if err != nil && err != io.EOF {
+		if err != nil {
+			if err == io.EOF {
+				return ErrBrokenChunk{error: io.ErrUnexpectedEOF}
+			}
 			return err
 		}
 	}
@@ -2614,31 +2625,43 @@ func parseChunkSize(r *bufio.Reader) (int, error) {
 	if err != nil {
 		return -1, err
 	}
+	inExt := false
 	for {
 		c, err := r.ReadByte()
 		if err != nil {
 			return -1, ErrBrokenChunk{
 				error: fmt.Errorf("cannot read '\\r' char at the end of chunk size: %w", err),
 			}
 		}
-		// Skip chunk extension after chunk size.
-		// Add support later if anyone needs it.
-		if c != '\r' {
-			// Security: Don't allow newlines in chunk extensions.
-			// This can lead to request smuggling issues with some reverse proxies.
-			if c == '\n' {
+		if c == '\r' {
+			if err := r.UnreadByte(); err != nil {
 				return -1, ErrBrokenChunk{
-					error: errors.New("invalid character '\\n' after chunk size"),
+					error: fmt.Errorf("cannot unread '\\r' char at the end of chunk size: %w", err),
 				}
 			}
+			break
+		}
+		// Security: Don't allow newlines in chunk extensions.
+		// This can lead to request smuggling issues with some reverse proxies.
+		if c == '\n' {
+			return -1, ErrBrokenChunk{
+				error: errors.New("invalid character '\\n' after chunk size"),
+			}
+		}
+		if inExt {
 			continue
 		}
-		if err := r.UnreadByte(); err != nil {
+		switch c {
+		case ' ', '\t':
+			continue
+		case ';':
+			inExt = true
+			continue
+		default:
 			return -1, ErrBrokenChunk{
-				error: fmt.Errorf("cannot unread '\\r' char at the end of chunk size: %w", err),
+				error: fmt.Errorf("invalid character %q after chunk size", c),
 			}
 		}
-		break
 	}
 	err = readCrLf(r)
 	if err != nil {

http_test.go

@@ -21,14 +21,14 @@ import (
 func TestInvalidTrailers(t *testing.T) {
 	t.Parallel()
 
-	if err := (&Response{}).Read(bufio.NewReader(strings.NewReader(" 0\nTransfer-Encoding:\xff\n\n0\r\n0"))); !errors.Is(err, io.EOF) {
-		t.Fatalf("%#v", err)
+	if err := (&Response{}).Read(bufio.NewReader(strings.NewReader("HTTP/1.1 200\r\nTransfer-Encoding:\xff\n\n0\r\n0"))); !errors.Is(err, io.EOF) {
+		t.Errorf("%#v", err)
 	}
-	if err := (&Response{}).Read(bufio.NewReader(strings.NewReader("\xff \nTRaILeR:,\n\n"))); !errors.Is(err, errEmptyInt) {
-		t.Fatal(err)
+	if err := (&Response{}).Read(bufio.NewReader(strings.NewReader("HTTP/1.1 200 OK\r\nTRaILeR:,\r\n\r\n"))); !errors.Is(err, ErrBadTrailer) {
+		t.Error(err)
 	}
-	if err := (&Response{}).Read(bufio.NewReader(strings.NewReader("TRaILeR:,\n\n"))); !strings.Contains(err.Error(), "cannot find whitespace in the first line of response") {
-		t.Fatal(err)
+	if err := (&Response{}).Read(bufio.NewReader(strings.NewReader("TRaILeR:,\r\n\r\n"))); !strings.Contains(err.Error(), "cannot find whitespace in the first line of response") {
+		t.Error(err)
 	}
 }
 
@@ -586,7 +586,7 @@ func TestRequestContentTypeWithCharsetIssue100(t *testing.T) {
 
 	expectedContentType := "application/x-www-form-urlencoded; charset=UTF-8"
 	expectedBody := "0123=56789"
-	s := fmt.Sprintf("POST / HTTP/1.1\r\nContent-Type: %s\r\nContent-Length: %d\r\n\r\n%s",
+	s := fmt.Sprintf("POST / HTTP/1.1\r\nHost: example.com\r\nContent-Type: %s\r\nContent-Length: %d\r\n\r\n%s",
 		expectedContentType, len(expectedBody), expectedBody)
 
 	br := bufio.NewReader(bytes.NewBufferString(s))
@@ -1032,7 +1032,7 @@ func TestRequestReadNoBody(t *testing.T) {
 
 	var r Request
 
-	br := bufio.NewReader(bytes.NewBufferString("GET / HTTP/1.1\r\n\r\n"))
+	br := bufio.NewReader(bytes.NewBufferString("GET / HTTP/1.1\r\nHost: example.com\r\n\r\n"))
 	err := r.Read(br)
 	r.SetHost("foobar")
 	if err != nil {
@@ -1200,7 +1200,7 @@ func TestRequestReadGzippedBody(t *testing.T) {
 
 	bodyOriginal := "foo bar baz compress me better!"
 	body := AppendGzipBytes(nil, []byte(bodyOriginal))
-	s := fmt.Sprintf("POST /foobar HTTP/1.1\r\nContent-Type: foo/bar\r\nContent-Encoding: gzip\r\nContent-Length: %d\r\n\r\n%s",
+	s := fmt.Sprintf("POST /foobar HTTP/1.1\r\nHost: example.com\r\nContent-Type: foo/bar\r\nContent-Encoding: gzip\r\nContent-Length: %d\r\n\r\n%s",
 		len(body), body)
 	br := bufio.NewReader(bytes.NewBufferString(s))
 	if err := r.Read(br); err != nil {
@@ -1231,7 +1231,7 @@ func TestRequestReadPostNoBody(t *testing.T) {
 
 	var r Request
 
-	s := "POST /foo/bar HTTP/1.1\r\nContent-Type: aaa/bbb\r\n\r\naaaa"
+	s := "POST /foo/bar HTTP/1.1\r\nHost: example.com\r\nContent-Type: aaa/bbb\r\n\r\naaaa"
 	br := bufio.NewReader(bytes.NewBufferString(s))
 	if err := r.Read(br); err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -1262,7 +1262,7 @@ func TestRequestReadPostNoBody(t *testing.T) {
 func TestRequestContinueReadBody(t *testing.T) {
 	t.Parallel()
 
-	s := "PUT /foo/bar HTTP/1.1\r\nExpect: 100-continue\r\nContent-Length: 5\r\nContent-Type: foo/bar\r\n\r\nabcdef4343"
+	s := "PUT /foo/bar HTTP/1.1\r\nHost: example.org\r\nExpect: 100-continue\r\nContent-Length: 5\r\nContent-Type: foo/bar\r\n\r\nabcdef4343"
 	br := bufio.NewReader(bytes.NewBufferString(s))
 
 	var r Request
@@ -2034,7 +2034,7 @@ func TestResponseReadWithoutBody(t *testing.T) {
 	testResponseReadWithoutBody(t, &resp, "HTTP/1.1 123 AAA\r\nContent-Type: xxx\r\nContent-Length: 3434\r\n\r\n", false,
 		123, 3434, "xxx")
 
-	testResponseReadWithoutBody(t, &resp, "HTTP 200 OK\r\nContent-Type: text/xml\r\nContent-Length: 123\r\n\r\nfoobar\r\n", true,
+	testResponseReadWithoutBody(t, &resp, "HTTP/1.1 200 OK\r\nContent-Type: text/xml\r\nContent-Length: 123\r\n\r\nfoobar\r\n", true,
 		200, 123, "text/xml")
 
 	// '100 Continue' must be skipped.
@@ -3120,6 +3120,12 @@ func TestRequestMultipartFormPipeEmptyFormField(t *testing.T) {
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
 	}
+	if _, err = bw.Write(strCRLF); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if err = bw.Flush(); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
 
 	for e := range errs {
 		t.Fatalf("unexpected error in goroutine multiwriter: %v", e)