More validation of HTTP/1.1 messages. (#321)

Add validation for the following, according to the ABNF defined in RFC-7230.
- header field-names
- header field-values
- request method
- request-path aka URI
- response reason-phrase

Previously, we did an OK job validating incoming messages, but did no validation whatsoever of outgoing messages.

Caveats:
- URI validation is extremely basic for now.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: graebm

include/aws/http/private/strutil.h

@@ -70,10 +70,49 @@ AWS_HTTP_API
 bool aws_strutil_is_http_token(struct aws_byte_cursor token);
 
 /**
- * Same as aws_strutil_is_http_token_valid(), but uppercase letters are forbidden.
+ * Same as aws_strutil_is_http_token(), but uppercase letters are forbidden.
  */
 AWS_HTTP_API
 bool aws_strutil_is_lowercase_http_token(struct aws_byte_cursor token);
 
+/**
+ * Return whether this ASCII/UTF-8 sequence is a valid HTTP header field-value.
+ *
+ * As defined in RFC7230 section 3.2 (except we are ALWAYS forbidding obs-fold):
+ *
+ * field-value    = *( field-content / obs-fold )
+ * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+ * field-vchar    = VCHAR / obs-text
+ * VCHAR          = %x21-7E ; visible (printing) characters
+ * obs-text       = %x80-FF
+ *
+ * Note that we ALWAYS forbid obs-fold. Section 3.2.4 explains how
+ * obs-fold is deprecated "except within the message/http media type".
+ */
+AWS_HTTP_API
+bool aws_strutil_is_http_field_value(struct aws_byte_cursor cursor);
+
+/**
+ * Return whether this ASCII/UTF-8 sequence is a valid HTTP response status reason-phrase.
+ *
+ * As defined in RFC7230 section 3.1.2:
+ *
+ * reason-phrase  = *( HTAB / SP / VCHAR / obs-text )
+ * VCHAR          = %x21-7E ; visible (printing) characters
+ * obs-text       = %x80-FF
+ */
+AWS_HTTP_API
+bool aws_strutil_is_http_reason_phrase(struct aws_byte_cursor cursor);
+
+/**
+ * Return whether this ASCII/UTF-8 sequence is a valid HTTP request-target.
+ *
+ * TODO: Actually check the complete grammar as defined in RFC7230 5.3 and
+ * RFC3986. Currently this just checks whether the sequence is blatantly illegal
+ * (ex: contains CR or LF)
+ */
+AWS_HTTP_API
+bool aws_strutil_is_http_request_target(struct aws_byte_cursor cursor);
+
 AWS_EXTERN_C_END
 #endif /* AWS_HTTP_STRUTIL_H */

source/h1_decoder.c

@@ -426,14 +426,20 @@ static int s_linestate_header(struct aws_h1_decoder *decoder, struct aws_byte_cu
     }
 
     struct aws_byte_cursor name = splits[0];
-    if (name.len == 0 || !aws_strutil_is_http_token(name)) {
+    if (!aws_strutil_is_http_token(name)) {
         AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=%p: Invalid incoming header, bad name.", decoder->logging_id);
         AWS_LOGF_DEBUG(
             AWS_LS_HTTP_STREAM, "id=%p: Bad header is: '" PRInSTR "'", decoder->logging_id, AWS_BYTE_CURSOR_PRI(input));
         return aws_raise_error(AWS_ERROR_HTTP_PROTOCOL_ERROR);
     }
 
     struct aws_byte_cursor value = aws_strutil_trim_http_whitespace(splits[1]);
+    if (!aws_strutil_is_http_field_value(value)) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=%p: Invalid incoming header, bad value.", decoder->logging_id);
+        AWS_LOGF_DEBUG(
+            AWS_LS_HTTP_STREAM, "id=%p: Bad header is: '" PRInSTR "'", decoder->logging_id, AWS_BYTE_CURSOR_PRI(input));
+        return aws_raise_error(AWS_ERROR_HTTP_PROTOCOL_ERROR);
+    }
 
     struct aws_h1_decoded_header header;
     header.name = aws_http_str_to_header_name(name);
@@ -603,6 +609,26 @@ static int s_linestate_request(struct aws_h1_decoder *decoder, struct aws_byte_c
     struct aws_byte_cursor uri = cursors[1];
     struct aws_byte_cursor version = cursors[2];
 
+    if (!aws_strutil_is_http_token(method)) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=%p: Incoming request has invalid method.", decoder->logging_id);
+        AWS_LOGF_DEBUG(
+            AWS_LS_HTTP_STREAM,
+            "id=%p: Bad request line is: '" PRInSTR "'",
+            decoder->logging_id,
+            AWS_BYTE_CURSOR_PRI(input));
+        return aws_raise_error(AWS_ERROR_HTTP_PROTOCOL_ERROR);
+    }
+
+    if (!aws_strutil_is_http_request_target(uri)) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=%p: Incoming request has invalid path.", decoder->logging_id);
+        AWS_LOGF_DEBUG(
+            AWS_LS_HTTP_STREAM,
+            "id=%p: Bad request line is: '" PRInSTR "'",
+            decoder->logging_id,
+            AWS_BYTE_CURSOR_PRI(input));
+        return aws_raise_error(AWS_ERROR_HTTP_PROTOCOL_ERROR);
+    }
+
     struct aws_byte_cursor version_expected = aws_http_version_to_str(AWS_HTTP_VERSION_1_1);
     if (!aws_byte_cursor_eq(&version, &version_expected)) {
         AWS_LOGF_ERROR(
@@ -645,7 +671,6 @@ static int s_linestate_response(struct aws_h1_decoder *decoder, struct aws_byte_
     struct aws_byte_cursor version = cursors[0];
     struct aws_byte_cursor code = cursors[1];
     struct aws_byte_cursor phrase = cursors[2];
-    (void)phrase; /* Unused for now. */
 
     struct aws_byte_cursor version_1_1_expected = aws_http_version_to_str(AWS_HTTP_VERSION_1_1);
     struct aws_byte_cursor version_1_0_expected = aws_http_version_to_str(AWS_HTTP_VERSION_1_0);
@@ -660,6 +685,12 @@ static int s_linestate_response(struct aws_h1_decoder *decoder, struct aws_byte_
         return aws_raise_error(AWS_ERROR_HTTP_PROTOCOL_ERROR);
     }
 
+    /* Validate phrase */
+    if (!aws_strutil_is_http_reason_phrase(phrase)) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=%p: Incoming response has invalid reason phrase.", decoder->logging_id);
+        return aws_raise_error(AWS_ERROR_HTTP_PROTOCOL_ERROR);
+    }
+
     /* Status-code is a 3-digit integer. RFC7230 section 3.1.2 */
     uint64_t code_val_u64;
     err = aws_strutil_read_unsigned_num(code, &code_val_u64);

source/h1_encoder.c

@@ -37,31 +37,51 @@ static int s_scan_outgoing_headers(
         struct aws_http_header header;
         aws_http_message_get_header(message, &header, i);
 
+        /* Validate header field-name (RFC-7230 3.2): field-name = token */
+        if (!aws_strutil_is_http_token(header.name)) {
+            AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=static: Header name is invalid");
+            return aws_raise_error(AWS_ERROR_HTTP_INVALID_HEADER_NAME);
+        }
+
+        /* Validate header field-value.
+         * The value itself isn't supposed to have whitespace on either side,
+         * but we'll trim it off before validation so we don't start needlessly
+         * failing requests that used to work before we added validation.
+         * This should be OK because field-value can be sent with any amount
+         * of whitespace around it, which the other side will just ignore (RFC-7230 3.2):
+         * header-field = field-name ":" OWS field-value OWS */
+        struct aws_byte_cursor field_value = aws_strutil_trim_http_whitespace(header.value);
+        if (!aws_strutil_is_http_field_value(field_value)) {
+            AWS_LOGF_ERROR(
+                AWS_LS_HTTP_STREAM,
+                "id=static: Header '" PRInSTR "' has invalid value",
+                AWS_BYTE_CURSOR_PRI(header.name));
+            return aws_raise_error(AWS_ERROR_HTTP_INVALID_HEADER_VALUE);
+        }
+
         enum aws_http_header_name name_enum = aws_http_str_to_header_name(header.name);
         switch (name_enum) {
             case AWS_HTTP_HEADER_CONNECTION: {
-                struct aws_byte_cursor trimmed_value = aws_strutil_trim_http_whitespace(header.value);
-                if (aws_byte_cursor_eq_c_str(&trimmed_value, "close")) {
+                if (aws_byte_cursor_eq_c_str(&field_value, "close")) {
                     encoder_message->has_connection_close_header = true;
                 }
             } break;
             case AWS_HTTP_HEADER_CONTENT_LENGTH: {
                 has_content_length_header = true;
-                struct aws_byte_cursor trimmed_value = aws_strutil_trim_http_whitespace(header.value);
-                if (aws_strutil_read_unsigned_num(trimmed_value, &encoder_message->content_length)) {
+                if (aws_strutil_read_unsigned_num(field_value, &encoder_message->content_length)) {
                     AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=static: Invalid Content-Length");
                     return aws_raise_error(AWS_ERROR_HTTP_INVALID_HEADER_VALUE);
                 }
             } break;
             case AWS_HTTP_HEADER_TRANSFER_ENCODING: {
                 has_transfer_encoding_header = true;
-                if (0 == header.value.len) {
+                if (0 == field_value.len) {
                     AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=static: Transfer-Encoding must include a valid value");
                     return aws_raise_error(AWS_ERROR_HTTP_INVALID_HEADER_VALUE);
                 }
                 struct aws_byte_cursor substr;
                 AWS_ZERO_STRUCT(substr);
-                while (aws_byte_cursor_next_split(&header.value, ',', &substr)) {
+                while (aws_byte_cursor_next_split(&field_value, ',', &substr)) {
                     struct aws_byte_cursor trimmed = aws_strutil_trim_http_whitespace(substr);
                     if (0 == trimmed.len) {
                         AWS_LOGF_ERROR(
@@ -177,13 +197,26 @@ int aws_h1_encoder_message_init_from_request(
     struct aws_byte_cursor method;
     int err = aws_http_message_get_request_method(request, &method);
     if (err) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=static: Request method not set");
+        aws_raise_error(AWS_ERROR_HTTP_INVALID_METHOD);
+        goto error;
+    }
+    /* RFC-7230 3.1.1: method = token */
+    if (!aws_strutil_is_http_token(method)) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=static: Request method is invalid");
         aws_raise_error(AWS_ERROR_HTTP_INVALID_METHOD);
         goto error;
     }
 
     struct aws_byte_cursor uri;
     err = aws_http_message_get_request_path(request, &uri);
     if (err) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=static: Request path not set");
+        aws_raise_error(AWS_ERROR_HTTP_INVALID_PATH);
+        goto error;
+    }
+    if (!aws_strutil_is_http_request_target(uri)) {
+        AWS_LOGF_ERROR(AWS_LS_HTTP_STREAM, "id=static: Request path is invalid");
         aws_raise_error(AWS_ERROR_HTTP_INVALID_PATH);
         goto error;
     }

source/strutil.c

@@ -139,3 +139,125 @@ bool aws_strutil_is_http_token(struct aws_byte_cursor token) {
 bool aws_strutil_is_lowercase_http_token(struct aws_byte_cursor token) {
     return s_is_token(token, s_http_lowercase_token_table);
 }
+
+/* clang-format off */
+/**
+ * Table with true for all octets allowed in field-content,
+ * as defined in RFC7230 section 3.2 and 3.2.6 and RFC5234 appendix-B.1:
+ *
+ * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+ * field-vchar    = VCHAR / obs-text
+ * VCHAR          = %x21-7E ; visible (printing) characters
+ * obs-text       = %x80-FF
+ */
+static const bool s_http_field_content_table[256] = {
+    /* clang-format off */
+
+    /* whitespace */
+    ['\t'] = true, [' '] = true,
+
+    /* VCHAR = 0x21-7E */
+    [0x21] = true, [0x22] = true, [0x23] = true, [0x24] = true, [0x25] = true, [0x26] = true, [0x27] = true,
+    [0x28] = true, [0x29] = true, [0x2A] = true, [0x2B] = true, [0x2C] = true, [0x2D] = true, [0x2E] = true,
+    [0x2F] = true, [0x30] = true, [0x31] = true, [0x32] = true, [0x33] = true, [0x34] = true, [0x35] = true,
+    [0x36] = true, [0x37] = true, [0x38] = true, [0x39] = true, [0x3A] = true, [0x3B] = true, [0x3C] = true,
+    [0x3D] = true, [0x3E] = true, [0x3F] = true, [0x40] = true, [0x41] = true, [0x42] = true, [0x43] = true,
+    [0x44] = true, [0x45] = true, [0x46] = true, [0x47] = true, [0x48] = true, [0x49] = true, [0x4A] = true,
+    [0x4B] = true, [0x4C] = true, [0x4D] = true, [0x4E] = true, [0x4F] = true, [0x50] = true, [0x51] = true,
+    [0x52] = true, [0x53] = true, [0x54] = true, [0x55] = true, [0x56] = true, [0x57] = true, [0x58] = true,
+    [0x59] = true, [0x5A] = true, [0x5B] = true, [0x5C] = true, [0x5D] = true, [0x5E] = true, [0x5F] = true,
+    [0x60] = true, [0x61] = true, [0x62] = true, [0x63] = true, [0x64] = true, [0x65] = true, [0x66] = true,
+    [0x67] = true, [0x68] = true, [0x69] = true, [0x6A] = true, [0x6B] = true, [0x6C] = true, [0x6D] = true,
+    [0x6E] = true, [0x6F] = true, [0x70] = true, [0x71] = true, [0x72] = true, [0x73] = true, [0x74] = true,
+    [0x75] = true, [0x76] = true, [0x77] = true, [0x78] = true, [0x79] = true, [0x7A] = true, [0x7B] = true,
+    [0x7C] = true, [0x7D] = true, [0x7E] = true,
+
+    /* obs-text = %x80-FF */
+    [0x80] = true, [0x81] = true, [0x82] = true, [0x83] = true, [0x84] = true, [0x85] = true, [0x86] = true,
+    [0x87] = true, [0x88] = true, [0x89] = true, [0x8A] = true, [0x8B] = true, [0x8C] = true, [0x8D] = true,
+    [0x8E] = true, [0x8F] = true, [0x90] = true, [0x91] = true, [0x92] = true, [0x93] = true, [0x94] = true,
+    [0x95] = true, [0x96] = true, [0x97] = true, [0x98] = true, [0x99] = true, [0x9A] = true, [0x9B] = true,
+    [0x9C] = true, [0x9D] = true, [0x9E] = true, [0x9F] = true, [0xA0] = true, [0xA1] = true, [0xA2] = true,
+    [0xA3] = true, [0xA4] = true, [0xA5] = true, [0xA6] = true, [0xA7] = true, [0xA8] = true, [0xA9] = true,
+    [0xAA] = true, [0xAB] = true, [0xAC] = true, [0xAD] = true, [0xAE] = true, [0xAF] = true, [0xB0] = true,
+    [0xB1] = true, [0xB2] = true, [0xB3] = true, [0xB4] = true, [0xB5] = true, [0xB6] = true, [0xB7] = true,
+    [0xB8] = true, [0xB9] = true, [0xBA] = true, [0xBB] = true, [0xBC] = true, [0xBD] = true, [0xBE] = true,
+    [0xBF] = true, [0xC0] = true, [0xC1] = true, [0xC2] = true, [0xC3] = true, [0xC4] = true, [0xC5] = true,
+    [0xC6] = true, [0xC7] = true, [0xC8] = true, [0xC9] = true, [0xCA] = true, [0xCB] = true, [0xCC] = true,
+    [0xCD] = true, [0xCE] = true, [0xCF] = true, [0xD0] = true, [0xD1] = true, [0xD2] = true, [0xD3] = true,
+    [0xD4] = true, [0xD5] = true, [0xD6] = true, [0xD7] = true, [0xD8] = true, [0xD9] = true, [0xDA] = true,
+    [0xDB] = true, [0xDC] = true, [0xDD] = true, [0xDE] = true, [0xDF] = true, [0xE0] = true, [0xE1] = true,
+    [0xE2] = true, [0xE3] = true, [0xE4] = true, [0xE5] = true, [0xE6] = true, [0xE7] = true, [0xE8] = true,
+    [0xE9] = true, [0xEA] = true, [0xEB] = true, [0xEC] = true, [0xED] = true, [0xEE] = true, [0xEF] = true,
+    [0xF0] = true, [0xF1] = true, [0xF2] = true, [0xF3] = true, [0xF4] = true, [0xF5] = true, [0xF6] = true,
+    [0xF7] = true, [0xF8] = true, [0xF9] = true, [0xFA] = true, [0xFB] = true, [0xFC] = true, [0xFD] = true,
+    [0xFE] = true, [0xFF] = true,
+    /* clang-format on */
+};
+
+/**
+ * From RFC7230 section 3.2:
+ * field-value    = *( field-content / obs-fold )
+ * field-content  = field-vchar [ 1*( SP / HTAB ) field-vchar ]
+ *
+ * But we're forbidding obs-fold
+ */
+bool aws_strutil_is_http_field_value(struct aws_byte_cursor cursor) {
+    if (cursor.len == 0) {
+        return true;
+    }
+
+    /* first and last char cannot be whitespace */
+    const uint8_t first_c = cursor.ptr[0];
+    const uint8_t last_c = cursor.ptr[cursor.len - 1];
+    if (s_http_whitespace_table[first_c] || s_http_whitespace_table[last_c]) {
+        return false;
+    }
+
+    /* ensure every char is legal field-content */
+    size_t i = 0;
+    do {
+        const uint8_t c = cursor.ptr[i++];
+        if (s_http_field_content_table[c] == false) {
+            return false;
+        }
+    } while (i < cursor.len);
+
+    return true;
+}
+
+/**
+ * From RFC7230 section 3.1.2:
+ * reason-phrase  = *( HTAB / SP / VCHAR / obs-text )
+ * VCHAR          = %x21-7E ; visible (printing) characters
+ * obs-text       = %x80-FF
+ */
+bool aws_strutil_is_http_reason_phrase(struct aws_byte_cursor cursor) {
+    for (size_t i = 0; i < cursor.len; ++i) {
+        const uint8_t c = cursor.ptr[i];
+        /* the field-content table happens to allow the exact same characters as reason-phrase */
+        if (s_http_field_content_table[c] == false) {
+            return false;
+        }
+    }
+    return true;
+}
+
+bool aws_strutil_is_http_request_target(struct aws_byte_cursor cursor) {
+    if (cursor.len == 0) {
+        return false;
+    }
+
+    /* TODO: Actually check the complete grammar as defined in RFC7230 5.3 and
+     * RFC3986. Currently this just checks whether the sequence is blatantly illegal */
+    size_t i = 0;
+    do {
+        const uint8_t c = cursor.ptr[i++];
+        /* everything <= ' ' is non-visible ascii*/
+        if (c <= ' ') {
+            return false;
+        }
+    } while (i < cursor.len);
+
+    return true;
+}

tests/CMakeLists.txt

@@ -63,6 +63,12 @@ add_test_case(h1_encoder_transfer_encoding_set_body_stream_errors)
 add_test_case(h1_encoder_transfer_encoding_chunked_multiple_put_request_headers)
 add_test_case(h1_encoder_transfer_encoding_chunked_not_final_encoding_put_request_headers)
 add_test_case(h1_encoder_transfer_encoding_not_ending_in_chunked_put_request_headers)
+add_test_case(h1_encoder_rejects_bad_method)
+add_test_case(h1_encoder_rejects_missing_method)
+add_test_case(h1_encoder_rejects_bad_path)
+add_test_case(h1_encoder_rejects_missing_path)
+add_test_case(h1_encoder_rejects_bad_header_name)
+add_test_case(h1_encoder_rejects_bad_header_value)
 
 add_test_case(h1_client_sanity_check)
 add_test_case(h1_client_request_send_1liner)
@@ -135,6 +141,9 @@ add_test_case(strutil_read_unsigned_hex)
 add_test_case(strutil_trim_http_whitespace)
 add_test_case(strutil_is_http_token)
 add_test_case(strutil_is_lowercase_http_token)
+add_test_case(strutil_is_http_field_value)
+add_test_case(strutil_is_http_reason_phrase)
+add_test_case(strutil_is_http_request_target)
 
 add_net_test_case(tls_download_medium_file_h1)
 add_net_test_case(tls_download_medium_file_h2)