Merge pull request #62 from http-rs/max-header-size

Fix unbounded header parsing

Author: yoshuawuyts

src/client.rs

@@ -16,7 +16,7 @@ use std::str::FromStr;
 
 use crate::chunked::ChunkedDecoder;
 use crate::date::fmt_http_date;
-use crate::MAX_HEADERS;
+use crate::{MAX_HEADERS, MAX_HEAD_LENGTH};
 
 /// An HTTP encoder.
 #[doc(hidden)]
@@ -146,6 +146,12 @@ where
         // No more bytes are yielded from the stream.
         assert!(bytes_read != 0, "Empty response"); // TODO: ensure?
 
+        // Prevent CWE-400 DDOS with large HTTP Headers.
+        ensure!(
+            buf.len() < MAX_HEAD_LENGTH,
+            "Head byte length should be less than 8kb"
+        );
+
         // We've hit the end delimiter of the stream.
         let idx = buf.len() - 1;
         if idx >= 3 && &buf[idx - 3..=idx] == b"\r\n\r\n" {

src/lib.rs

@@ -99,6 +99,10 @@
 /// The maximum amount of headers parsed on the server.
 const MAX_HEADERS: usize = 128;
 
+/// The maximum length of the head section we'll try to parse.
+/// See: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/#denial-of-service-with-large-http-headers-cve-2018-12121
+const MAX_HEAD_LENGTH: usize = 8 * 1024;
+
 mod chunked;
 mod date;
 mod server;

src/server.rs

@@ -16,7 +16,7 @@ use http_types::{Body, Method, Request, Response};
 
 use crate::chunked::ChunkedDecoder;
 use crate::date::fmt_http_date;
-use crate::MAX_HEADERS;
+use crate::{MAX_HEADERS, MAX_HEAD_LENGTH};
 
 const CR: u8 = b'\r';
 const LF: u8 = b'\n';
@@ -353,6 +353,12 @@ where
             return Ok(None);
         }
 
+        // Prevent CWE-400 DDOS with large HTTP Headers.
+        ensure!(
+            buf.len() < MAX_HEAD_LENGTH,
+            "Head byte length should be less than 8kb"
+        );
+
         // We've hit the end delimiter of the stream.
         let idx = buf.len() - 1;
         if idx >= 3 && &buf[idx - 3..=idx] == b"\r\n\r\n" {