Add option to HttpObjectDecoder to allow duplicate Content-Lengths

[Bennett-Lynch]

Motivation

Since #9865 (Netty 4.1.44) the default behavior of the HttpObjectDecoder has been to reject any HTTP message that is found to have multiple Content-Length headers when decoding. This behavior is well-justified as per the risks outlined in #9861, however, we can see from the cited RFC section that there are multiple possible options offered for responding to this scenario:

If a message is received that has multiple Content-Length header
fields with field-values consisting of the same decimal value, or a
single Content-Length header field with a field value containing a
list of identical decimal values (e.g., "Content-Length: 42, 42"),
indicating that duplicate Content-Length header fields have been
generated or combined by an upstream message processor, then the
recipient MUST either reject the message as invalid or replace the
duplicated field-values with a single valid Content-Length field
containing that decimal value prior to determining the message body
length or forwarding the message.

https://tools.ietf.org/html/rfc7230#section-3.3.2

Netty opted for the first option (rejecting as invalid), which seems like the safest, but the second option (replacing duplicate values with a single value) is also valid behavior.

Modifications

• Introduce allowDuplicateContentLengths parameter to HttpObjectDecoder (defaulting to false).
• When set to true, will allow multiple Content-Length headers only if they are all the same value. The duplicated field-values will be replaced with a single valid Content-Length field.
• Add new parameterized test class for testing different variations of multiple Content-Length headers.

Result

This is a backwards-compatible change with no functional change to the existing behavior.

Note that the existing logic would result in NumberFormatExceptions for header values like "Content-Length: 42, 42". The new logic correctly reports these as IllegalArgumentException with the proper error message.

Additionally note that this behavior is only applied to HTTP/1.1, but I suspect that we may want to expand that to include HTTP/1.0 as well... That behavior is not modified here to minimize the scope of this change.

[netty-bot]

Can one of the admins verify this patch?

[Bennett-Lynch]

/cc @normanmaurer @NiteshKant

[Bennett-Lynch]

Note that I wanted to document the new parameter but I couldn't quite find a place where it belonged. None of the existing constructors have Javadoc explaining what they do. Could perhaps add it to the class-level Javadoc for HttpObjectDecoder?

[netty-bot]

Can one of the admins verify this patch?

[netty-bot]

Can one of the admins verify this patch?

[netty-bot]

Can one of the admins verify this patch?

[normanmaurer]

@netty-bot test this please

[Bennett-Lynch]

Made tests a bit more meaningful by also asserting on the interpreted body.

[normanmaurer]

@Bennett-Lynch thanks a lot... I will have a look later today.

[slandelle]

Is there really a use case for this? Aren't we going to introduce code that will never be activated?

[LuminousLoreBloom]

.

[Bennett-Lynch]

Is there really a use case for this? Aren't we going to introduce code that will never be activated?

I'm of the (admittedly biased) opinion that it is valuable, but I'm not sure of others' usage.

[slandelle]

@Bennett-Lynch Could you please elaborate? How would such a feature help you? The PR message is only about a chapter as an RFC that's too vague and can be interpreted in different ways, where one of the possible interpretations could be "this doesn't make sense, the RFC should be fixed with an errata".
Even if the RFC is unclear, is there a consensus on the user-agents side? What do modern browsers, or curl do?

[Bennett-Lynch]

@slandelle Sure, I will try to elaborate a little.

Imagine a scenario of serving HTTP traffic to a wide array of clients, clients with configuration outside of a server's direct control. E.g., pretend you're Google.com and you have millions of different user-agents sending you requests every day, but you don't own all of the clients or browsers that they use to communicate with.

Some of these more peculiar or out-dated clients might do unfortunate things, like adding duplicate Content-Length headers. Or maybe an HTTP proxy somewhere in the middle decides to process the message and add another Content-Length header. While this seems like less-than-ideal behavior, it does happen in the wild, and it happens outside of your control.

You, as Google.com, can choose to either allow or reject the requests. Maybe there is an argument to reject the requests for security or standardization reasons, and maybe there is an argument to allow the requests so that you can serve and not break your visitors to keep them happy. What's more important is that you are given the opportunity to decide.

The primary concern in allowing multiple Content-Length headers is when multiple servers will process the request and interpret the body size to be different. You can read about this in great detail here. The first example used is a malicious request with two different Content-Lengths:

POST / HTTP/1.1
Host: example.com
Content-Length: 6
Content-Length: 5

That security risk is what #9865 was specifically trying to address. However, the risk only applies when you have multiple different possible interpretations of the body size. Whenever you see a message like this, you should immediately drop it on the floor, because you do not know if an upstream or downstream component will agree with your interpretation of the body size.

However, if you are given a request like:

POST / HTTP/1.1
Host: example.com
Content-Length: 5
Content-Length: 5

There is less risk (or perhaps no risk) of inconsistent interpretation. Whether a parser chooses the first or last Content-Length will not make a difference. It seems unfortunate that the request had duplicate Content-Lengths in it, but there's nothing necessarily malformed or malicious about it. That is presumably why RFC 7230 offers the option of accepting but deduplicating the Content-Lengths in these types of requests, because they are inherently low-risk.

So this PR simply aims to make the second option a possibility, if you want to explicitly opt into it. Netty will still default for what it thinks is the safest and sanest option, but if you are Google.com and want to not break your visitors for these types of requests, you are given that option. And since Netty is designed to be a low-level library, I think it makes sense to expose these options to users where appropriate.

[idelpivnitskiy]

IIUC the content should be just a, not ab. Same for testDanglingComma

[Bennett-Lynch]

The reason I chose ab is that we provide two content-lengths: 1 and 2. I wanted the potential body size to be the max of the possible content-lengths (2) so that we can assert the interpreted body is 1 and we gain more confidence in knowing that the decoder explicitly stopped parsing after 1.

From an assertion perspective, perhaps it's somewhat redundant to assert on the body content being a after asserting the body size is 1, but I think it makes it more intuitive and could maybe catch some more egregious regressions.

[idelpivnitskiy]

Should we verify that there is no more bytes in the channel after we read the content? Or that a new requests starts after the first one.

[Bennett-Lynch]

We do expect there to be 1 "leftover" byte in the ByteToMessageDecoder#cumulation buffer. I'm not sure if it offers any value in explicitly asserting that if we are already asserting on the interpreted body size. If you think it adds value I can add more tests.

[NiteshKant]

One comment but LGTM

[NiteshKant]

It may be useful to add the mismatched values to the error message;

"Multiple Content-Length values found: " + trimmed + " and " + firstValue

[Bennett-Lynch]

I like this idea but I'm not sure if there's a precedent for reporting request data in exceptions. This may cause some applications to inadvertently log data that users may consider to be sensitive.

[NiteshKant]

Since the data here is content-length, I think the sensitive data risk is pretty low if not impossible, but I would defer to @normanmaurer for it.

[normanmaurer]

Yeah I think it should be fine

[Bennett-Lynch]

Mostly agree on content-length hopefully being less sensitive. I will bias towards including it for now.

[Bennett-Lynch]

@idelpivnitskiy @NiteshKant Thanks for the feedback. Added Javadoc for new parameter and changed IllegalArgumentException to include the list of values in the message (leveraging List#toString() for the exception message).

[normanmaurer]

@netty-bot test this please

[normanmaurer]

@Bennett-Lynch should we also expose this via HttpServerCodec and HttpClientCodec ?

[Bennett-Lynch]

@normanmaurer Yes. Good catch, thanks. Will add.

[Bennett-Lynch]

Added constructors to HttpServerCodec and HttpClientCodec.

Since this new parameter was added to the end (of the telescoping constructor chain), users will have to specify parameters like initialBufferSize to use it. To support this, I have also created public constants for the default values of the other parameters, so that users may effectively delegate to the default values.

These constructors are becoming a little unwieldy and I think it would be worthwhile to follow-up with a builder pattern as well.

[normanmaurer]

@netty-bot test this please

[normanmaurer]

@Bennett-Lynch thanks a lot