Limit the length of content codec list that can be processed automatically

ok2c · ok2c · commit 77fa61aae9fe · 2025-12-16T20:59:43.000+01:00
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/ContentCodingSupport.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/ContentCodingSupport.java
@@ -28,12 +28,14 @@
 package org.apache.hc.client5.http.impl;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.List;
 import java.util.Locale;
 
 import org.apache.hc.core5.annotation.Internal;
 import org.apache.hc.core5.http.EntityDetails;
+import org.apache.hc.core5.http.ProtocolException;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.message.ParserCursor;
 
@@ -43,6 +45,8 @@
 @Internal
 public final class ContentCodingSupport {
 
+    public static final int MAX_CODEC_LIST_LEN = 5;
+
     private ContentCodingSupport() {
     }
 
@@ -62,4 +66,10 @@ public static List<String> parseContentCodecs(final EntityDetails entityDetails)
         return codecs;
     }
 
+    public static void validate(final Collection<String> codecList, final int maxCodecListLen) throws ProtocolException {
+        if (maxCodecListLen > 0 && codecList.size() > maxCodecListLen) {
+            throw new ProtocolException("Codec list exceeds maximum of " + maxCodecListLen + " elements");
+        }
+    }
+
 }
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/ContentCompressionAsyncExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/ContentCompressionAsyncExec.java
@@ -67,23 +67,29 @@ public final class ContentCompressionAsyncExec implements AsyncExecChainHandler
 
     private final Lookup<UnaryOperator<AsyncDataConsumer>> decoders;
     private final List<String> acceptTokens;
+    private final int maxCodecListLen;
 
     public ContentCompressionAsyncExec(
             final LinkedHashMap<String, UnaryOperator<AsyncDataConsumer>> decoderMap,
-            final boolean ignoreUnknown) {
-
+            final int maxCodecListLen) {
         Args.notEmpty(decoderMap, "Decoder map");
 
         final RegistryBuilder<UnaryOperator<AsyncDataConsumer>> rb = RegistryBuilder.create();
         decoderMap.forEach(rb::register);
         this.decoders = rb.build();
         this.acceptTokens = new ArrayList<>(decoderMap.keySet());
+        this.maxCodecListLen = maxCodecListLen;
+    }
+
+    public ContentCompressionAsyncExec(
+            final LinkedHashMap<String, UnaryOperator<AsyncDataConsumer>> decoderMap) {
+        this(decoderMap, ContentCodingSupport.MAX_CODEC_LIST_LEN);
     }
 
     /**
      * Default: DEFLATE + GZIP (plus <code>x-gzip</code> alias).
      */
-    public ContentCompressionAsyncExec() {
+    public ContentCompressionAsyncExec(final int maxCodecListLen) {
         final LinkedHashMap<String, UnaryOperator<AsyncDataConsumer>> map = new LinkedHashMap<>();
         map.put(ContentCoding.DEFLATE.token(), d -> new InflatingAsyncDataConsumer(d, null));
         map.put(ContentCoding.GZIP.token(), InflatingGzipDataConsumer::new);
@@ -109,8 +115,12 @@ public ContentCompressionAsyncExec() {
 
         this.decoders = rb.build();
         this.acceptTokens = tokens;
+        this.maxCodecListLen = maxCodecListLen;
     }
 
+    public ContentCompressionAsyncExec() {
+        this(ContentCodingSupport.MAX_CODEC_LIST_LEN);
+    }
 
     @Override
     public void execute(
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
@@ -1100,7 +1100,7 @@ public CloseableHttpAsyncClient build() {
         if (!contentCompressionDisabled) {
             if (contentDecoderMap != null && !contentDecoderMap.isEmpty()) {
                 execChainDefinition.addFirst(
-                        new ContentCompressionAsyncExec(contentDecoderMap, true),
+                        new ContentCompressionAsyncExec(contentDecoderMap),
                         ChainElement.COMPRESS.name());
             } else {
                 execChainDefinition.addFirst(
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ContentCompressionExec.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/classic/ContentCompressionExec.java
@@ -72,16 +72,25 @@ public final class ContentCompressionExec implements ExecChainHandler {
 
     private final Header acceptEncoding;
     private final Lookup<UnaryOperator<HttpEntity>> decoderRegistry;
+    private final int maxCodecListLen;
 
     public ContentCompressionExec(
             final List<String> acceptEncoding,
-            final Lookup<UnaryOperator<HttpEntity>> decoderRegistry) {
+            final Lookup<UnaryOperator<HttpEntity>> decoderRegistry,
+            final int maxCodecListLen) {
         this.acceptEncoding = MessageSupport.headerOfTokens(HttpHeaders.ACCEPT_ENCODING,
                 Args.notEmpty(acceptEncoding, "Encoding list"));
         this.decoderRegistry = Args.notNull(decoderRegistry, "Decoder register");
+        this.maxCodecListLen = maxCodecListLen;
     }
 
-    public ContentCompressionExec() {
+    public ContentCompressionExec(
+            final List<String> acceptEncoding,
+            final Lookup<UnaryOperator<HttpEntity>> decoderRegistry) {
+        this(acceptEncoding, decoderRegistry, ContentCodingSupport.MAX_CODEC_LIST_LEN);
+    }
+
+    public ContentCompressionExec(final int maxCodecListLen) {
         final Map<ContentCoding, UnaryOperator<HttpEntity>> decoderMap = new EnumMap<>(ContentCoding.class);
         for (final ContentCoding c : ContentCoding.values()) {
             final UnaryOperator<HttpEntity> d = ContentCodecRegistry.decoder(c);
@@ -103,6 +112,11 @@ public ContentCompressionExec() {
         }
         this.acceptEncoding = MessageSupport.headerOfTokens(HttpHeaders.ACCEPT_ENCODING, acceptList);
         this.decoderRegistry = builder.build();
+        this.maxCodecListLen = maxCodecListLen;
+    }
+
+    public ContentCompressionExec() {
+        this(ContentCodingSupport.MAX_CODEC_LIST_LEN);
     }
 
     @Override
@@ -128,6 +142,7 @@ public ClassicHttpResponse execute(
         // check for zero length entity.
         if (requestConfig.isContentCompressionEnabled() && entity != null && entity.getContentLength() != 0) {
             final List<String> codecs = ContentCodingSupport.parseContentCodecs(entity);
+            ContentCodingSupport.validate(codecs, maxCodecListLen);
             if (!codecs.isEmpty()) {
                 for (int i = codecs.size() - 1; i >= 0; i--) {
                     final String codec = codecs.get(i);
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/InflatingAsyncEntityConsumerTest.java b/httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/InflatingAsyncEntityConsumerTest.java
@@ -204,7 +204,7 @@ public Set<String> getTrailerNames() {
     void unknownEncodingMapFlag() throws Exception {
         final LinkedHashMap<String, UnaryOperator<AsyncDataConsumer>> map = new LinkedHashMap<>();
         map.put("deflate", d -> new InflatingAsyncDataConsumer(d, null));
-        final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map, false);
+        final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map);
         assertNotNull(exec);
     }
 }
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/InflatingBrotliDataConsumerTest.java b/httpclient5/src/test/java/org/apache/hc/client5/http/async/methods/InflatingBrotliDataConsumerTest.java
@@ -195,7 +195,7 @@ public Set<String> getTrailerNames() {
     void registerInExec() {
         final LinkedHashMap<String, UnaryOperator<AsyncDataConsumer>> map = new LinkedHashMap<>();
         map.put("br", InflatingBrotliDataConsumer::new);
-        final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map, false);
+        final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map);
         assertNotNull(exec);
     }
 }
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/async/TestContentCompressionAsyncExec.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/async/TestContentCompressionAsyncExec.java
@@ -163,7 +163,7 @@ public AsyncDataConsumer apply(final AsyncDataConsumer d) {
                 return new InflatingAsyncDataConsumer(d, null);
             }
         });
-        impl = new ContentCompressionAsyncExec(map, /*ignoreUnknown*/ false);
+        impl = new ContentCompressionAsyncExec(map);
 
         final HttpRequest request = new BasicHttpRequest(Method.GET, "/");
         final AsyncExecCallback cb = executeAndCapture(request);
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/impl/classic/TestContentCompressionExec.java b/httpclient5/src/test/java/org/apache/hc/client5/http/impl/classic/TestContentCompressionExec.java
@@ -40,6 +40,7 @@
 import org.apache.hc.core5.http.HttpException;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.Method;
+import org.apache.hc.core5.http.ProtocolException;
 import org.apache.hc.core5.http.io.entity.StringEntity;
 import org.apache.hc.core5.http.message.BasicClassicHttpRequest;
 import org.apache.hc.core5.http.message.BasicClassicHttpResponse;
@@ -236,4 +237,34 @@ void testContentEncodingRequestParameter() throws Exception {
         Assertions.assertFalse(entity instanceof GzipDecompressingEntity);
     }
 
+    @Test
+    void testContentEncodingExceedsCodecListLenMax() throws Exception {
+        impl = new ContentCompressionExec(5);
+
+        final ClassicHttpRequest request = new BasicClassicHttpRequest(Method.GET, host, "/");
+        final ClassicHttpResponse response1 = new BasicClassicHttpResponse(200, "OK");
+        final HttpEntity original1 = EntityBuilder.create()
+                .setText("encoded stuff")
+                .setContentEncoding("gzip,gzip,gzip,gzip,gzip")
+                .build();
+        response1.setEntity(original1);
+
+        Mockito.when(execChain.proceed(request, scope)).thenReturn(response1);
+
+        final HttpEntity entity = response1.getEntity();
+        Assertions.assertNotNull(entity);
+
+        final ClassicHttpResponse response2 = new BasicClassicHttpResponse(200, "OK");
+        final HttpEntity original2 = EntityBuilder.create()
+                .setText("encoded stuff")
+                .setContentEncoding("gzip,gzip,gzip,gzip,gzip,gzip")
+                .build();
+        response2.setEntity(original2);
+
+        Mockito.when(execChain.proceed(request, scope)).thenReturn(response2);
+
+        final ProtocolException exception = Assertions.assertThrows(ProtocolException.class, () -> impl.execute(request, scope, execChain));
+        Assertions.assertEquals("Codec list exceeds maximum of 5 elements", exception.getMessage());
+    }
+
 }

Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,7 @@ public Set<String> getTrailerNames() {`
`204`	`204`	`void unknownEncodingMapFlag() throws Exception {`
`205`	`205`	`final LinkedHashMap<String, UnaryOperator<AsyncDataConsumer>> map = new LinkedHashMap<>();`
`206`	`206`	`map.put("deflate", d -> new InflatingAsyncDataConsumer(d, null));`
`207`		`- final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map, false);`
	`207`	`+ final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map);`
`208`	`208`	`assertNotNull(exec);`
`209`	`209`	`}`
`210`	`210`	`}`
Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,7 @@ public Set<String> getTrailerNames() {`
`195`	`195`	`void registerInExec() {`
`196`	`196`	`final LinkedHashMap<String, UnaryOperator<AsyncDataConsumer>> map = new LinkedHashMap<>();`
`197`	`197`	`map.put("br", InflatingBrotliDataConsumer::new);`
`198`		`- final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map, false);`
	`198`	`+ final ContentCompressionAsyncExec exec = new ContentCompressionAsyncExec(map);`
`199`	`199`	`assertNotNull(exec);`
`200`	`200`	`}`
`201`	`201`	`}`
Original file line number	Diff line number	Diff line change
`@@ -163,7 +163,7 @@ public AsyncDataConsumer apply(final AsyncDataConsumer d) {`
`163`	`163`	`return new InflatingAsyncDataConsumer(d, null);`
`164`	`164`	`}`
`165`	`165`	`});`
`166`		`- impl = new ContentCompressionAsyncExec(map, /ignoreUnknown/ false);`
	`166`	`+ impl = new ContentCompressionAsyncExec(map);`
`167`	`167`
`168`	`168`	`final HttpRequest request = new BasicHttpRequest(Method.GET, "/");`
`169`	`169`	`final AsyncExecCallback cb = executeAndCapture(request);`