Unify header validation across all codecs (H1, H2 and H3)

[yanavlasov]

Presently H1 and H2 codecs use header validation which is a mix of the codec specific and some checks from nghttp2 library on top of it. This leads to inconsistencies in header validation across codecs and makes header validation hard to audit.

For more information see design specifications.

This change will include:

1. Adding header validation according to the HTTP spec.
2. Converting codecs to use unified header validation facility. This will only be applied for Balsa and oghttp2 codecs.

Deployment plan:

1. Add opt-in for universal header validation for Balsa and oghttp2 in compatibility mode (fully compatible with the http-parser and nghttp2)
2. After bake-in interval (i.e. one full release cycle) change the feature to opt-out
3. Turn-off compatibility features to bring HTTP validation to RFC compliance one by one.

[mattklein123]

cc @danzh2010 for HTTP/3

[danzh2010]

QUICHE has its header validation done before handing it to codec. Is it suppose to be following the standard? If so QUICHE should already does so.

[mattklein123]

@danzh2010 the main thing we have to figure out here is how to share the various checks between all 3 codecs (QUICHE being one). Right now we have consistency issues just between 2, so when we add HTTP/3 the problem is even bigger. Specifically, we will have to implement header underscore ignore/drop in HTTP/3 to match HTTP/1 and HTTP/2 so this will be a forcing function to figure this out.

[danzh2010]

We can add extra validation steps after QUICHE delivers request header to codec, so it's something doable. But might not worth to check what the standard requires for a 2nd time.

[danzh2010]

Specifically, we will have to implement header underscore ignore/drop in HTTP/3 to match HTTP/1 and HTTP/2 so this will be a forcing function to figure this out.

As to underscore in header field, why wasn't it an http filter instead?

[mattklein123]

As to underscore in header field, why wasn't it an http filter instead?

I think mostly for efficiency reasons as this is a potential attack vector, though I suppose in hindsight we could have done this at the HCM layer during decode headers. @yanavlasov @alyssawilk any thoughts here? We can change this later without any config implications though we would probably want to move the stats around.

[alyssawilk]

I think it was added as a commonly needed security fix - I think at some point we could refactor much of the HCM transformation into a shared filter, but in general most security work (making sure there's no smuggling, making sure there's no weird characters) go directly in the base classes. Moving one out would be weird, and moving them all out would be dangerous :-P

[danzh2010]

What is the security concern for underscore in headers?

[mattklein123]

What is the security concern for underscore in headers?

Some applications treat _ and - as interchangeable (holdover from CGI days) and this opens up a fairly trivial security bypass vector in some cases. NGINX ignores headers with _ in them by default for this reason.

but in general most security work (making sure there's no smuggling, making sure there's no weird characters) go directly in the base classes.

+1, I don't think this stuff belongs in a filter, but I feel quite strongly that it belongs in common code, probably in the HCM in decodeHeaders. We need to make sure all of our HTTP level checks are done consistently across all codecs, and optimally not done twice (as nghttp2 does a bunch of them by default).