Harden against HTTP Desync attacks #3444
Comments
|
Thanks for the suggestion! I agree with the premise, for sure! I have mentioned in other issues the idea of having a "strict" option. (I kinda wonder if it would eventually need to be made multiple options, as people want some strict things but not others.) Another point I think is to consider whether these things need to live in hyper itself, or if it can be part of recommended middleware. More tests is always welcome, too! |
|
Most checks can probably live in middlewares but desync attack operate on the write buffer of the connection to leak data of other users when the proxy reuses the same connection. So I think this would need to live in hyper. Regarding the multiple flags I do agree, maybe similar to the desync attack prevention modes provided by AWS for the ALB? |
seanmonstar
added
B-rfc
Problem
HTTP Desync attacks are pretty bad and there are a lot of bad/permissive http implementations out there that act as proxies.
I didn't see any discussion / tests of hyper surrounding that so I wanted to start the discussion around the topic given that hyper is now 1.0 (and used in production in a lot of places).
Ideas
For the second point, I would take a lot of work that has been done by AWS already in https://github.com/aws/http-desync-guardian and try to incorporate it in hyper where it makes sense. This includes going more strict than the spec to avoid confusions.
Things like ignoring a CL when a TE is present is risky (even if the spec says that it must be ignored) since a proxy might very well not ignore the CL. So even if hyper is "correct", that won't prevent a leak. Under an hypothetical
strictflag, this would result in the request being rejected.hyper/src/proto/h1/role.rs
Lines 251 to 253 in 210bfaa
Additional context
The text was updated successfully, but these errors were encountered: