Merge pull request #22426 from loriadi/PH46816-validation

PH46816: Header validation

Author: tevans78

dev/com.ibm.ws.transport.http.remoteip_fat/fat/src/com/ibm/ws/transport/http/HttpXForwardedAndForwardedHeaderTests.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2018 IBM Corporation and others.
+ * Copyright (c) 2018, 2022 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -1847,6 +1847,113 @@ public void testTrustedForwardedWithDefaultRemoteIpRefConfig() throws Exception
         assertTrue("Response does not contain expected isSecure", response.contains("isSecure: false"));
     }
 
+    /**
+     * Test x-forwarded header with an invalid X-Forwarded-Proto header.
+     *
+     * The remote client address should not be verified.
+     *
+     * @throws Exception
+     *
+     *                       In this test, the x-forwarded-proto header is invalid, use the other
+     *                       x-forwarded headers but discard the proto
+     */
+    @Test
+    @Mode(TestMode.FULL)
+    public void testTrustedXForwardedIPv4WithInvalidProto() throws Exception {
+        String variation = "defaultRemoteIP";
+        String testName = "testTrustedXForwardedIPv4WithInvalidProto";
+        String servletName = "EndpointInformationServlet";
+        startServer(variation);
+
+        // Note that the proto contains invalid characters.
+        List<BasicHeader> headerList = new ArrayList<BasicHeader>();
+        headerList.addAll(Arrays.asList(new BasicHeader("X-Forwarded-For", "192.100.0.299,192.168.0.101,192.168.2.322,172.31.255.188"),
+                                        new BasicHeader("X-Forwarded-Host", "clienttest.com"),
+                                        new BasicHeader("X-Forwarded-Proto", "https://evil.com/#")));
+
+        HttpResponse httpResponse = execute(APP_NAME, servletName, headerList, testName);
+        String response = getResponseAsString(httpResponse);
+
+        Log.info(ME, testName, "Response: " + response);
+
+        assertTrue("Response does not contain Endpoint Information Servlet Test message", response.contains("Endpoint Information Servlet Test"));
+        assertTrue("Response does contain the expected Remote Address", response.contains("Remote Address: 192.100.0.299"));
+        assertTrue("Response does not contain valid Scheme", !response.contains("Scheme: https://evil.com/#"));
+        assertTrue("Response does not contain valid Scheme", response.contains("Scheme: http"));
+    }
+
+    /**
+     * Test Forward header with an invalid proto parameter.
+     *
+     * The remote client address should not be verified.
+     *
+     * In this test, one of the parms of the forwarded header is invalid - proto.
+     * Throw out all the parms for the whole header.
+     *
+     * @throws Exception
+     */
+    @Test
+    @Mode(TestMode.FULL)
+    public void testTrustedForwardedIPv4WithInvalidProto() throws Exception {
+        String variation = "defaultRemoteIP";
+        String testName = "testTrustedForwardedIPv4WithInvalidProto";
+        String servletName = "EndpointInformationServlet";
+        startServer(variation);
+
+        List<BasicHeader> headerList = new ArrayList<BasicHeader>();
+        // Note that the proto contains invalid characters.
+        headerList.addAll(Arrays
+                        .asList(new BasicHeader("Forwarded", "for=192.100.0.299,for=192.168.0.101,for=192.168.2.322,for=172.31.255.188;"
+                                                             + "host=clienttest.com;"
+                                                             + "proto=https://evil.com/#")));
+
+        HttpResponse httpResponse = execute(APP_NAME, servletName, headerList, testName);
+        String response = getResponseAsString(httpResponse);
+
+        Log.info(ME, testName, "Response: " + response);
+
+        assertTrue("Response does not contain Endpoint Information Servlet Test message", response.contains("Endpoint Information Servlet Test"));
+        assertTrue("Response does contain the expected Remote Address", response.contains("Remote Address: 127.0.0.1"));
+        assertTrue("Response does not contain expected Remote Host", response.contains("Remote Host: localhost"));
+        assertTrue("Response does not contain valid Scheme", !response.contains("Scheme: https://evil.com/#"));
+        assertTrue("Response does not contain valid Scheme", response.contains("Scheme: http"));
+    }
+
+    /**
+     * Test Forward header with an invalid host parameter.
+     * The only invalid host would be an ipv6 address with mismatched [] or
+     * a [ bracket not in the first position.
+     *
+     * The remote client address should not be verified.
+     *
+     * @throws Exception
+     */
+    @Test
+    @Mode(TestMode.FULL)
+    public void testTrustedForwardedIPv4WithInvalidHost() throws Exception {
+        String variation = "defaultRemoteIP";
+        String testName = "testTrustedForwardedIPv4WithInvalidHost";
+        String servletName = "EndpointInformationServlet";
+        startServer(variation);
+
+        List<BasicHeader> headerList = new ArrayList<BasicHeader>();
+        // Note that the host contains invalid characters.
+        headerList.addAll(Arrays
+                        .asList(new BasicHeader("Forwarded", "for=192.100.0.299,for=192.168.0.101,for=192.168.2.322,for=172.31.255.188;"
+                                                             + "host=a[a];"
+                                                             + "proto=https")));
+
+        HttpResponse httpResponse = execute(APP_NAME, servletName, headerList, testName);
+        String response = getResponseAsString(httpResponse);
+
+        Log.info(ME, testName, "Response: " + response);
+
+        assertTrue("Response does not contain Endpoint Information Servlet Test message", response.contains("Endpoint Information Servlet Test"));
+        assertTrue("Response does contain the expected Remote Address", response.contains("Remote Address: 127.0.0.1"));
+        assertTrue("Response does not contain valid Remote Host", !response.contains("Remote Host: []"));
+        assertTrue("Response does not contain valid Scheme", response.contains("Scheme: http"));
+    }
+
     /**
      * Private method to start a server.
      *
@@ -1865,10 +1972,10 @@ private void startServer(String variation) throws Exception {
     /**
      * Private method to execute/drive an HTTP request and obtain an HTTP response
      *
-     * @param app The app name or context root
-     * @param path The specific path to drive the request
+     * @param app        The app name or context root
+     * @param path       The specific path to drive the request
      * @param headerList A list of headers to be added in the request
-     * @param variation The name of the server for logging purposes
+     * @param variation  The name of the server for logging purposes
      * @return The HTTP response for the request
      * @throws Exception
      */

dev/com.ibm.ws.transport.http/src/com/ibm/ws/genericbnf/internal/BNFHeadersImpl.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2004, 2019 IBM Corporation and others.
+ * Copyright (c) 2004, 2022 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -264,8 +264,8 @@ public BNFHeadersImpl() {
      * options.
      *
      * @param useDirect -- use direct ByteBuffers or indirect
-     * @param outSize -- size of buffers to use while marshalling headers
-     * @param inSize -- size of buffers to use while parsing headers
+     * @param outSize   -- size of buffers to use while marshalling headers
+     * @param inSize    -- size of buffers to use while parsing headers
      * @param cacheSize -- byte cache size of optimized parsing
      */
     protected void init(boolean useDirect, int outSize, int inSize, int cacheSize) {
@@ -3133,8 +3133,8 @@ protected WsByteBuffer[] putBytes(byte[] data, WsByteBuffer[] inBuffers) {
      * (extended) when the cache was flushed.
      *
      * @param data
-     * @param offset (into data to start at)
-     * @param length (to copy from the offset into data)
+     * @param offset    (into data to start at)
+     * @param length    (to copy from the offset into data)
      * @param inBuffers
      * @return WsByteBuffer[]
      */
@@ -3609,7 +3609,7 @@ private boolean parseCRLFs(WsByteBuffer buff) throws MalformedMessageException {
      * Returns either the TOKEN_RC_DELIM or the TOKEN_RC_MOREDATA return codes.
      *
      * @param buff
-     * @param log - whether to debug log contents or not
+     * @param log  - whether to debug log contents or not
      * @return TokenCodes
      * @throws MalformedMessageException
      */
@@ -3875,7 +3875,7 @@ private boolean parseHeaderValueNonExtract(WsByteBuffer buff) throws MalformedMe
      * @param buff
      * @param bDelimiter
      * @param bApproveCRLF
-     * @param log - control how much of the token to debug log
+     * @param log          - control how much of the token to debug log
      * @return TokenCodes
      * @throws MalformedMessageException
      */
@@ -3965,10 +3965,10 @@ protected void setHeaderValue() throws MalformedMessageException {
     /**
      * Sets the temporary parse token from the input buffer.
      *
-     * @param buff The current WsByteBuffer being parsed
+     * @param buff  The current WsByteBuffer being parsed
      * @param start The start position of the token
      * @param delim Did we stop on the delimiter or not?
-     * @param log Whether to log the contents or not
+     * @param log   Whether to log the contents or not
      */
     private void saveParsedToken(WsByteBuffer buff, int start, boolean delim, int log) {
 
@@ -4288,12 +4288,18 @@ private void processXForwardedHeader(HeaderElement header) {
             processXForwardedAddressExtract(header.getDebugValue(), forwardedByList);
         } else if (X_FORWARDED_PROTO.equalsIgnoreCase(header.getName())) {
             forwardedProto = header.getDebugValue();
+            if (!validateProto(forwardedProto)) {
+                forwardedProto = null;
+                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+                    Tr.debug(tc, "X-Forwarded-Proto value is invalid: " + header.getDebugValue());
+                }
+            }
+
         } else if (X_FORWARDED_PORT.equalsIgnoreCase(header.getName())) {
             forwardedPort = header.getDebugValue();
         } else if (X_FORWARDED_HOST.equalsIgnoreCase(header.getName())) {
             forwardedHost = header.getDebugValue();
         }
-
         if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
             Tr.exit(tc, "processXForwardedHeader");
         }
@@ -4358,8 +4364,30 @@ private void processSpecForwardedHeader(HeaderElement header) {
 
                 } else if (node.toLowerCase().startsWith(PROTO)) {
                     forwardedProto = nodeExtract;
+                    boolean validProto = validateProto(forwardedProto);
+                    if (!validProto) {
+                        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+                            Tr.debug(tc, "Forwarded header proto value was malformed: " + forwardedProto);
+                        }
+                        processForwardedErrorState();
+                        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+                            Tr.exit(tc, "processSpecForwardedHeader");
+                        }
+                        return;
+                    }
                 } else if (node.toLowerCase().startsWith(HOST)) {
                     forwardedHost = nodeExtract;
+                    forwardedHost = validateForwardedHost(forwardedHost);
+                    if (forwardedHost == null) {
+                        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+                            Tr.debug(tc, "Forwarded header host value was malformed: " + nodeExtract);
+                        }
+                        processForwardedErrorState();
+                        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+                            Tr.exit(tc, "processSpecForwardedHeader");
+                        }
+                        return;
+                    }
                 }
                 //Unrecognized parameter
                 else {
@@ -4497,6 +4525,69 @@ private void processForwardedAddressExtract(String nodeExtract, ListType type) {
         list.add(nodeName);
     }
 
+    /*
+     * A valid proto may start with an alpha followed by any number of chars that are
+     * - alpha
+     * - numeric
+     * - "+" or "-" or "."
+     */
+
+    private boolean validateProto(String forwardedProto) {
+        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+            Tr.entry(tc, "validateProto");
+        }
+        char[] a = forwardedProto.toCharArray();
+        boolean valid = true;
+        char c = a[0];
+        valid = ((c >= 'a') && (c <= 'z')) ||
+                ((c >= 'A') && (c <= 'Z'));
+        if (valid) {
+
+            for (int i = 1; i < a.length; i++) {
+                c = a[i];
+                valid = ((c >= 'a') && (c <= 'z')) ||
+                        ((c >= 'A') && (c <= 'Z')) ||
+                        ((c >= '0') && (c <= '9')) ||
+                        (c == '+') || (c == '-') || (c == '.');
+                if (!valid) {
+                    break;
+                }
+            }
+
+        }
+        if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+            Tr.debug(tc, "ValidateProto value is valid: " + valid);
+            Tr.exit(tc, "validateProto");
+        }
+        return valid;
+
+    }
+
+    /*
+     * Valid hostname can be a bracketed ipv6 address, or
+     * any other string.
+     * Validate the ipv6 address has opening and closing brackets.
+     */
+
+    private String validateForwardedHost(String forwardedHost) {
+        int openBracket = forwardedHost.indexOf("[");
+        int closedBracket = forwardedHost.indexOf("]");
+        String nodename = forwardedHost;
+
+        if (openBracket > -1) {
+            //This is an IPv6address
+            //The nodename is enclosed in "[ ]", get it now
+
+            //If the first character isn't the open bracket or if close bracket
+            //is missing, this is a badly formed header
+            if (openBracket != 0 || !(closedBracket > -1)) {
+                nodename = null;
+            }
+        }
+        return nodename;
+
+    }
+
     private void processForwardedErrorState() {
         this.forwardedByList = null;
         this.forwardedForList = null;

dev/com.ibm.ws.transport.http/src/com/ibm/ws/http/dispatcher/internal/channel/HttpDispatcherLink.java

@@ -920,16 +920,56 @@ public String getRemoteHostAddress() {
         if (remoteAddr == null) {
             remoteAddr = getTrustedHeader(HttpHeaderKeys.HDR_$WSRA.getName());
             if (remoteAddr != null) {
-                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled())
-                    Tr.debug(tc, "getRemoteHostAddress isTrusted --> true, addr --> " + remoteAddr);
-            } else {
-                remoteAddr = contextRemoteHostAddress();
+                if (!validateRemoteAddress(remoteAddr)) {
+                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled())
+                        Tr.debug(tc, "getRemoteHostAddress isTrusted --> true, invalid addr --> " + remoteAddr);
+                    remoteAddr = null;
+                }
             }
         }
+        if (remoteAddr == null) {
+            remoteAddr = contextRemoteHostAddress();
+        }
 
         return remoteAddr;
     }
 
+    /*
+     * Validate the remote address
+     */
+    boolean validateRemoteAddress(String address) {
+        //The node identifier is defined by the ABNF syntax as
+        //        node     = nodename [ ":" node-port ]
+        //                   nodename = IPv4address / "[" IPv6address "]" /
+        //                             "unknown" / obfnode
+        //As such, to make it equivalent to the de-facto headers, remove the quotations
+        //and possible port
+        String extract = address.replaceAll("\"", "").trim();
+        String nodeName = null;
+
+        //obfnodes are only allowed to contain ALPHA / DIGIT / "." / "_" / "-"
+        //so if the token contains "[", it is an IPv6 address
+        int openBracket = extract.indexOf("[");
+        int closedBracket = extract.indexOf("]");
+
+        if (openBracket > -1) {
+            //This is an IPv6address
+            //The nodename is enclosed in "[ ]", get it now
+
+            //If the first character isn't the open bracket or if a close bracket
+            //is not provided, this is a badly formed header
+            if (openBracket != 0 || !(closedBracket > -1)) {
+                //badly formated header
+                if (TraceComponent.isAnyTracingEnabled() && tc.isEntryEnabled()) {
+                    Tr.debug(tc, "$WSRA IPv6 address was malformed: " + address);
+                }
+                return false;
+            }
+
+        }
+        return true;
+    }
+
     /**
      * @return the remote host address of the inbound connection
      */

dev/com.ibm.ws.webcontainer.servlet.3.1_fat/.classpath

@@ -34,5 +34,6 @@
 	<classpathentry kind="src" path="test-applications/multiNBReadApp.war/src"/>
 	<classpathentry kind="con" path="aQute.bnd.classpath.container"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.8"/>
+	<classpathentry kind="src" path="src"/>
 	<classpathentry kind="output" path="bin"/>
 </classpath>