Envoy too strict about transfer-encoding & content-length?

[argos83]

Title: Envoy too strict about transfer-encoding & content-length
Description:

Envoy version: v1.11.2

A service in one of our clusters sometimes returns invalid http1.1. responses that contain both a transfer-encoding: chunked and content-length headers (the content-length is not even 0) which is clearly wrong. Envoy then rejects the response, increments the envoy.cluster.upstream_cx_protocol_error counter and returns a 503.

However, looking at the RFC-2616 section-4.4, it reads:

...If a message is received with both a Transfer-Encoding header field and a Content-Length header field, the latter MUST be ignored.

It seems that this should not be a protocol error, maybe Envoy should ignore the content-length (maybe even strip it out), and forward the response to the downstream.

Thoughts?

[htuch]

@alyssawilk do you have thoughts on this one?

[alyssawilk]

Right before the snipped you pasted is "The Content-Length header field MUST NOT be sent if these two lengths are different (i.e., if a Transfer-Encoding header field is present). " So as I read things, your downstream is doing something illegal and Envoy is not following the spec about how such illegal traffic should be handled. Sound right?

Unfortunately this is not something we can fix until we've replaced http_parser. http_parser is the entity rejecting the request* and as it's functionally abandonware, I don't think we can make that change in their code base

It's possible after we switch after http_parser (#5155) we can work on this, but I will note it's a super dangerous change as it opens up a wealth of http smuggling attacks (e.g. right now, Envoy implicitly trusts content length over transfer-encoding, so if we made that change to http_parser without fixing in-Envoy behavior we'd have different wrong behavior and a nasty attack vector!) and is super high risk. So for the record if anyone picks this up once we're off http_parser, I'd suggest defaulting this off and proceeding with extreme caution.

https://github.com/nodejs/http-parser/blob/master/http_parser.c#L1772

[argos83]

So as I read things, your downstream is doing something illegal and Envoy is not following the spec about how such illegal traffic should be handled. Sound right?

Correct, I understand the spec suggests Postel's law: Be conservative in what you send, be liberal in what you accept.

Great point on the http smuggling attacks @alyssawilk! Sounds like the safest way to avoid problems with two parties interpreting the length of requests differently is the current behavior of rejecting these contradicting requests altogether. Or if this does get fixed, I think ignoring the content-length header won't be enough, envoy would probably need to strip it away.

[PiotrSikora]

RFC7230, sec. 3.3.3 is a bit more strict than the deprecated RFC2616 that you quoted:

  If a message is received with both a Transfer-Encoding and a
  Content-Length header field, the Transfer-Encoding overrides the
  Content-Length.  Such a message might indicate an attempt to
  perform request smuggling (Section 9.5) or response splitting
  (Section 9.4) and ought to be handled as an error.  A sender MUST
  remove the received Content-Length field prior to forwarding such
  a message downstream.

[argos83]

@PiotrSikora thanks for pointing to the updated spec. TBH I also find that definition a bit confusing.

• "...the Transfer-Encoding overrides the Content-Length..." reads to me like 'ignore the Content-Length header and proceed interpreting the body length according to the transfer-encoding header'
• "...ought to be handled as an error..", this sounds like a recommendation, not a MUST. And it's not clear but it seems this recommendation is intended for the end receiver of the message, not a proxy.
• "A sender MUST remove the received Content-Length field prior to forwarding such a message downstream", this seems to be intended for a proxy.

Thoughts?

[PiotrSikora]

• "...the Transfer-Encoding overrides the Content-Length..." reads to me like 'ignore the Content-Length header and proceed interpreting the body length according to the transfer-encoding header'
• "...ought to be handled as an error..", this sounds like a recommendation, not a MUST. And it's not clear but it seems this recommendation is intended for the end receiver of the message, not a proxy.

Those two are intended for all recipients (i.e. including proxies). Other than that, your interpretation sounds correct. Yes, the text is not normative, and it's a recommendation, not a MUST, but I don't see a reason why Envoy shouldn't be following that recommendation ("I have a broken client" is not a valid reason).

• "A sender MUST remove the received Content-Length field prior to forwarding such a message downstream", this seems to be intended for a proxy.

That's for proxies that don't follow the aforementioned recommendation and simply ignore the Content-Length header.

[argos83]

Thanks @PiotrSikora, it makes total sense. Feel free to close this one.

[PiotrSikora]

I have no powers here, so I'll defer this to @alyssawilk.