GHSA-5vcm-3xc3-w7x3

Suggest an improvement
Source
https://github.com/advisories/GHSA-5vcm-3xc3-w7x3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-5vcm-3xc3-w7x3/GHSA-5vcm-3xc3-w7x3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-5vcm-3xc3-w7x3
Aliases
Published
2021-09-22T19:18:41Z
Modified
2023-11-08T04:06:50.664861Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Response Splitting from unsanitized headers
Details

Impact

http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields:

  • Header names (Header.nameå
  • Header values (Header.value)
  • Status reason phrases (Status.reason)
  • URI paths (Uri.Path)
  • URI authority registered names (URI.RegName) (through 0.21)

The following backends render invalid carriage return, newline, or null characters in an unsafe fashion.

| | blaze-server | ember-server | blaze-client | ember-client | jetty-client | |:---------------|:-------------|:-------------|:-------------|--------------|--------------| | header names | ⚠ | ⚠ | ⚠ | ⚠ | ⚠ | | header values | ⚠ | ⚠ | ⚠ | ⚠ | | | status reasons | ⚠ | ⚠ | | | | | URI paths | | | ⚠ | ⚠ | | | URI regnames | | | ⚠ < 0.22 | ⚠ < 0.22 | |

For example, given the following service:

import cats.effect._
import org.http4s._
import org.http4s.dsl.io._
import org.http4s.server.blaze.BlazeServerBuilder
import scala.concurrent.ExecutionContext.global

object ResponseSplit extends IOApp {
  override def run(args: List[String]): IO[ExitCode] =
    BlazeServerBuilder[IO](global)
      .bindHttp(8080)
      .withHttpApp(httpApp)
      .resource
      .use(_ => IO.never)

  val httpApp: HttpApp[IO] =
    HttpApp[IO] { req =>
      req.params.get("author") match {
        case Some(author) =>
          Ok("The real content")
            .map(_.putHeaders(Header("Set-Cookie", s"author=${author}")))
        case None =>
          BadRequest("No author parameter")
      }
    }
}

A clean author parameter returns a clean response:

curl -i 'http://localhost:8080/?author=Ross'
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Set-Cookie: author=Ross
Date: Mon, 20 Sep 2021 04:12:10 GMT
Content-Length: 16

The real content

A malicious author parameter allows a user-agent to hijack the response from our server and return different content:

curl -i 'http://localhost:8080/?author=hax0r%0d%0aContent-Length:+13%0d%0a%0aI+hacked+you'
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Set-Cookie: author=hax0r
Content-Length: 13

I hacked you

Patches

Versions 0.21.29, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following:

  • If a status reasoon phrase is invalid, it is dropped. Rendering is optional per spec.
  • If a header name is invalid in a request or response, the header is dropped. There is no way to generically sanitize a header without potentially shadowing a correct one.
  • If a header value is invalid in a request or response, it is sanitized by replacing null (\u0000), carriage return (\r), and newline (\n) with space () characters per spec.
  • If a URI path or registered name is invalid in a request line, the client raises an IllegalArgumentException.
  • If a URI registered name is invalid in a host header, the client raises an IllegalArgumentException.

Workarounds

http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.

Not all backends were affected: jetty-server, tomcat-server, armeria, and netty on the server; async-http-client, okhttp-client, armeria, and netty as clients.

References

  • https://owasp.org/www-community/attacks/HTTPResponseSplitting
  • https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#fields.values

For more information

If you have any questions or comments about this advisory: * Open an issue in GitHub * Contact us via the http4s security policy

Database specific
{
    "nvd_published_at": "2021-09-21T18:15:00Z",
    "github_reviewed_at": "2021-09-21T16:10:13Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-74",
        "CWE-918"
    ]
}
References

Affected packages

Maven / org.http4s:http4s-server

Package

Name
org.http4s:http4s-server
View open source insights on deps.dev
Purl
pkg:maven/org.http4s/http4s-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.21.29

Database specific

{
    "last_known_affected_version_range": "<= 0.21.28"
}

Maven / org.http4s:http4s-client

Package

Name
org.http4s:http4s-client
View open source insights on deps.dev
Purl
pkg:maven/org.http4s/http4s-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.21.29

Database specific

{
    "last_known_affected_version_range": "<= 0.21.28"
}

Maven / org.http4s:http4s-server

Package

Name
org.http4s:http4s-server
View open source insights on deps.dev
Purl
pkg:maven/org.http4s/http4s-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.22.0
Fixed
0.22.5

Database specific

{
    "last_known_affected_version_range": "<= 0.22.4"
}

Maven / org.http4s:http4s-server

Package

Name
org.http4s:http4s-server
View open source insights on deps.dev
Purl
pkg:maven/org.http4s/http4s-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.23.0
Fixed
0.23.4

Database specific

{
    "last_known_affected_version_range": "<= 0.23.3"
}

Maven / org.http4s:http4s-client

Package

Name
org.http4s:http4s-client
View open source insights on deps.dev
Purl
pkg:maven/org.http4s/http4s-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.22.0
Fixed
0.22.5

Database specific

{
    "last_known_affected_version_range": "<= 0.22.4"
}

Maven / org.http4s:http4s-client

Package

Name
org.http4s:http4s-client
View open source insights on deps.dev
Purl
pkg:maven/org.http4s/http4s-client

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.23.0
Fixed
0.23.4

Database specific

{
    "last_known_affected_version_range": "<= 0.23.3"
}