Skip to content

fix(sandbox): prevent overread request smuggling in L7 REST parser#342

Closed
drew wants to merge 1 commit intoNVIDIA:mainfrom
vincentkoc:codex/fix-l7-rest-parser-request-smuggling
Closed

fix(sandbox): prevent overread request smuggling in L7 REST parser#342
drew wants to merge 1 commit intoNVIDIA:mainfrom
vincentkoc:codex/fix-l7-rest-parser-request-smuggling

Conversation

@drew
Copy link
Collaborator

@drew drew commented Mar 16, 2026

Motivation

  • The HTTP/1.1 parser could return a raw_header that included bytes read past the header terminator (\r\n\r\n), and the relay path forwarded those overflow bytes upstream before additional L7 parsing, enabling request smuggling/pipelining to bypass per-request policy checks.

Description

  • Change parse_http_request to read one byte at a time (read_u8) and stop exactly when the buffer ends_with(b"\r\n\r\n"), ensuring raw_header contains only the current request header block.
  • Remove the previous multi-byte temporary buffer read path and the behavior that returned overflow bytes inside raw_header.
  • Adjust header-end detection to use ends_with and retain the existing parse_body_length framing logic.
  • Add a regression test parse_http_request_does_not_overread_next_request that writes two requests in one write and verifies they are parsed as two separate requests with no overflow included in the first raw_header.

Testing

  • Added unit/regression test: parse_http_request_does_not_overread_next_request (async tokio::test) to verify the parser does not consume bytes belonging to a subsequent pipelined request; the test was added to crates/openshell-sandbox/src/l7/rest.rs.
  • Attempted mise run pre-commit in the environment, but it could not complete due to remote tooling/version resolution failures in this sandbox.
  • Attempted cargo test for the crate but could not run because cargo is not available in the execution environment, so the new test was not executed here.

Codex Task

@drew drew added integration:aardvark Aardvark integration integration:codex Codex integration labels Mar 16, 2026
@github-actions
Copy link

github-actions bot commented Mar 16, 2026

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

I have read the DCO document and I hereby sign the DCO.

You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.

@johntmyers
Copy link
Collaborator

johntmyers commented Mar 16, 2026

Closing in favor of a clean re-implementation. The underlying vulnerability is valid and will be tracked via a dedicated issue.

@johntmyers johntmyers closed this Mar 16, 2026
This was referenced Mar 16, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

integration:aardvark Aardvark integration integration:codex Codex integration

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@drew @johntmyers @vincentkoc