Merge pull request #3403 from trailofbits/kkaoudis/http-parsing

HTTP header parsing

Author: kaoudis

.github/workflows/tests.yml

@@ -15,7 +15,7 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest] # windows-latest, macos-latest,
-        python-version: ["3.7", "3.8", "3.9", "3.10"]
+        python-version: ["3.7", "3.8", "3.9", "3.10", "3.11"]
 
     runs-on: ${{ matrix.os }}
 

.gitignore

@@ -3,4 +3,6 @@ polyfile/defs/*
 poyfile/trie_full.gz
 polyfile/trie_partial.gz
 ~*
-*.pyc
+*.pyc
+.vscode/
+.vscode/*

polyfile/__init__.py

@@ -1,3 +1,14 @@
-from . import nes, pdf, jpeg, zipmatcher, nitf, kaitaimatcher, languagematcher, polyfile
+from . import (
+    nes,
+    pdf,
+    jpeg,
+    zipmatcher,
+    nitf,
+    http,
+    kaitaimatcher,
+    languagematcher,
+    polyfile
+)
+
 from .__main__ import main
 from .polyfile import __version__

polyfile/ast.py

@@ -0,0 +1,114 @@
+from typing import Any, Iterable, Iterator, List, Optional, Tuple, Union
+
+from .polyfile import Match, Submatch
+
+
+class Node:
+    def __init__(self,
+                 name: str,
+                 value: Optional[bytes] = None,
+                 offset: Optional[int] = None,
+                 length: Optional[int] = None,
+                 older_sibling: Optional["Node"] = None,
+                 children: Iterable["Node"] = ()
+    ):
+        self.name: str = name
+        self.value: Optional[bytes] = value
+        self._offset: Optional[int] = offset
+        self._length: Optional[int] = length
+        self.older_sibling: Optional[Node] = older_sibling
+        self.children: Tuple[Node, ...] = tuple(children)
+
+    def __repr__(self):
+        r = f"{self.__class__.__name__}(name={self.name!r}"
+        if self.value is not None:
+            r = f"{r}, value={self.value!r}"
+        r = f"{r}, offset={self.offset!r}, length={self.length!r}, older_sibling={self.older_sibling!r}, " \
+            f"children={self.children!r})"
+        return r
+
+    @property
+    def offset(self) -> int:
+        if self._offset is None:
+            if self.children:
+                self._offset = self.children[0].offset
+            elif self.older_sibling is not None:
+                self._offset = self.older_sibling.offset + self.older_sibling.length
+            else:
+                raise ValueError(f"{self!r} must either have an explicit offset, an older sibling, or a child!")
+        return self._offset
+
+    @property
+    def length(self) -> int:
+        if self._length is None:
+            if self.value is not None:
+                self._length = len(self.value)
+            elif not self.children:
+                self._length = 0
+            else:
+                self._length = self.children[-1].offset + self.children[-1].length - self.offset
+        return self._length
+
+    def to_matches(self, parent: Optional[Match] = None) -> Iterator[Submatch]:
+        stack: List[Tuple["Node", Optional[Match]]] = [(self, parent)]
+        while stack:
+            node, parent = stack.pop()
+            if parent is None:
+                parent_offset = 0
+            else:
+                parent_offset = parent.offset
+            match = Submatch(
+                name=node.name,
+                match_obj=node.value,
+                relative_offset=node.offset - parent_offset,
+                length=node.length,
+                parent=parent
+            )
+            yield match
+            for child in reversed(node.children):
+                stack.append((child, match))
+
+    @classmethod
+    def load(cls, obj: Any) -> "Node":
+        ancestors: List[Tuple[Any, Optional[Tuple[Node, ...]]]] = [
+            (obj, None)
+        ]
+        children: Optional[Tuple[Node, ...]]
+        while True:
+            obj, children = ancestors.pop()
+            if children is None:
+                if hasattr(obj, "children") and obj.children:
+                    ancestors.append((obj, ()))
+                    ancestors.extend((child, None) for child in reversed(obj.children))
+                    continue
+                children = ()
+            if not hasattr(obj, "name"):
+                raise ValueError(f"{obj!r} does not have a `name` attribute!")
+            name: str = obj.name
+            if hasattr(obj, "value"):
+                value: Union[Optional[bytes], str] = obj.value
+            else:
+                value = None
+            if isinstance(value, str):
+                value = value.encode("utf-8")
+            if hasattr(obj, "offset"):
+                offset: Optional[int] = obj.offset
+            else:
+                offset = None
+            if hasattr(obj, "length") and (value is None or obj.length >= len(value)):
+                length: Optional[int] = obj.length
+            else:
+                length = None
+            older_sibling: Optional[Node] = None
+            for reversed_parent_index, (parent, siblings) in enumerate(reversed(ancestors)):
+                if siblings is not None:
+                    if siblings:
+                        older_sibling: Optional[Node] = siblings[-1]
+                    break
+            else:
+                assert not ancestors
+            node = cls(name=name, value=value, offset=offset, length=length, older_sibling=older_sibling,
+                       children=children)
+            if not ancestors:
+                return node
+            ancestors[len(ancestors) - reversed_parent_index - 1] = parent, siblings + (node,)

polyfile/http/__init__.py

@@ -0,0 +1 @@
+from .matcher import parse_http_11

polyfile/http/defacto.py

@@ -0,0 +1,37 @@
+from abnf.grammars.misc import load_grammar_rules
+from abnf.grammars import rfc9110, rfc3986
+from abnf import Rule as _Rule
+from typing import List, Tuple
+
+inherited_rulelist: List[Tuple[str, _Rule]] = [
+    ("ipv4", rfc3986.Rule("IPv4address")),
+    ("ipv6", rfc3986.Rule("IPv6address")),
+    ("uri-host", rfc9110.Rule("uri-host")),
+]
+
+
+@load_grammar_rules(inherited_rulelist)
+class Rule(_Rule):
+    """A place to define *hop-by-hop* headers which do not have an RFC or other standard, but are in common use. As linked, these definitions are primarily based on Mozilla documentation for now.
+
+    These are highly worth parsing and examining since they can be spoofed and are untrustworthy if not added by a reverse proxy on a hop-by-hop request path.
+
+    There are several variants on X-Forwarded-Proto header included.
+    """
+
+    grammar: List[str] = [
+        'defacto-header = "X-Forwarded-For:" OWS X-Forwarded-For OWS / "X-Forwarded-Host:" OWS X-Forwarded-Host OWS / "X-Forwarded-Proto:" OWS X-Forwarded-Proto OWS / "Front-End-Https:" OWS Front-End-Https OWS / "X-Forwarded-Protocol:" OWS X-Forwarded-Protocol OWS / "X-Forwarded-Ssl:" OWS X-Forwarded-Ssl OWS / "X-Url-Scheme:" OWS X-Url-Scheme OWS',
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For
+        'X-Forwarded-For = xff-client *( 0*1SP "," 0*1SP xff-proxy )',
+        "xff-client = ipv4 / ipv6",
+        "xff-proxy = ipv4 / ipv6",
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host - value should be the domain name of the forwarded server
+        "X-Forwarded-Host = uri-host",
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto
+        'proto = "http" / "https"',
+        "X-Forwarded-Proto = proto",
+        'Front-End-Https = "on"',
+        "X-Forwarded-Protocol = proto",
+        'X-Forwarded-Ssl = "on"',
+        "X-Url-Scheme = proto",
+    ]

polyfile/http/deprecated.py

@@ -0,0 +1,51 @@
+from abnf.grammars.misc import load_grammar_rules
+from abnf.grammars import rfc9110, rfc3986, rfc9111
+from abnf import Rule as _Rule
+from typing import List, Tuple
+
+inherited_rulelist: List[Tuple[str, _Rule]] = [
+    ("Accept-Charset", rfc9110.Rule("Accept-Charset")),
+    ("Authentication-Info", rfc9110.Rule("Authentication-Info")),
+    ("token", rfc9110.Rule("token")),
+    ("quoted-string", rfc9110.Rule("quoted-string")),
+    ("HTTP-date", rfc9110.Rule("HTTP-date")),
+    ("Host", rfc9110.Rule("Host")),
+]
+
+
+@load_grammar_rules(inherited_rulelist)
+class Rule(_Rule):
+    """
+    Request headers which are in general deprecated by modern browsers, but may still be included from spoofed user agents or unusual user agents.
+    """
+
+    grammar: List[str] = [
+        'deprecated-header = "Accept-Charset:" OWS Accept-Charset OWS / "Authentication-Info:" OWS Authentication-Info OWS / "DNT:" OWS DNT OWS / "DPR:" OWS DPR OWS / "Expect-CT:" OWS Expect-CT OWS / "Pragma:" OWS Pragma OWS / "Viewport-Width:" OWS Viewport-Width OWS / "Warning:" OWS Warning OWS / "Width:" OWS Width OWS',
+        # https://www.w3.org/TR/tracking-dnt/#dnt-header-field
+        'DNT = ( "0" / "1" ) *DNT-extension',
+        # DNT-extension excludes CTL, SP, DQUOTE, comma, backslash
+        "DNT-extension = %x21 / %x23-2B / %x2D-5B / %x5D-7E",
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/DPR
+        'DPR = 1*DIGIT "." 1*DIGIT',
+        # https://www.rfc-editor.org/rfc/rfc9163#section-2.1
+        'Expect-CT           = expect-ct-directive *( OWS "," OWS expect-ct-directive )',
+        'expect-ct-directive = directive-name [ "=" directive-value ]',
+        "directive-name      = token",
+        "directive-value     = token / quoted-string",
+        # https://httpwg.org/specs/rfc9111.html#field.pragma
+        'Pragma = "no-cache"',
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Viewport-Width
+        # The width of the user's viewport in CSS pixels, rounded up to the nearest integer.
+        "Viewport-Width = 1*DIGIT",
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Warning
+        "Warning = warn-code warn-agent warn-text *warn-date",
+        # https://www.iana.org/assignments/http-warn-codes/http-warn-codes.xhtml
+        'warn-code = "110" / "111" / "112" / "113" / "199" / "214" / "299"',
+        "warn-agent = Host / pseudonym",
+        "warn-text = quoted-string",
+        "warn-date = HTTP-date",
+        "pseudonym = token",
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Width
+        # The width of the resource in physical pixels, rounded up to the nearest integer.
+        "Width = 1*DIGIT",
+    ]

polyfile/http/experimental.py

@@ -0,0 +1,67 @@
+from abnf.grammars.misc import load_grammar_rules
+from abnf.grammars import rfc9110, rfc3986
+from . import structured_headers
+from abnf import Rule as _Rule
+from typing import List, Tuple
+
+rulelist: List[Tuple[str, _Rule]] = [
+    ("OWS", rfc9110.Rule("OWS")),
+    ("sh-list", structured_headers.Rule("sh-list")),
+    ("sh-string", structured_headers.Rule("sh-string")),
+    ("sh-decimal", structured_headers.Rule("sh-decimal")),
+    ("sh-boolean", structured_headers.Rule("sh-boolean")),
+]
+
+
+@load_grammar_rules(rulelist)
+class Rule(_Rule):
+    """Request headers defined as 'experimental' by the Mozilla developer documentation, which have partial cross browser support.
+
+    Many of these headers convey client hints (indicated by the CH segment in some, but not all, related header names).
+
+    Most of these also require only simple ABNF to string together the values, so they are collected here for brevity.
+    """
+
+    grammar: List[str] = [
+        'experimental-header = "Device-Memory:" OWS Device-Memory OWS / "Downlink:" OWS Downlink OWS / "Early-Data:" OWS Early-Data OWS / "ECT:" OWS ECT OWS / "RTT:" OWS RTT OWS / "Save-Data:" OWS Save-Data OWS / "Sec-CH-UA-Arch:" OWS Sec-CH-UA-Arch OWS / "Sec-CH-UA-Bitness:" OWS Sec-CH-UA-Bitness OWS / "Sec-CH-UA-Form-Factor:" OWS Sec-CH-UA-Form-Factor / "Sec-CH-UA-Full-Version:" OWS Sec-CH-UA-Full-Version OWS / "Sec-CH-UA-Full-Version-List:" OWS Sec-CH-UA-Full-Version-List OWS / "Sec-CH-UA-Mobile:" OWS Sec-CH-UA-Mobile OWS / "Sec-CH-UA-Model:" OWS Sec-CH-UA-Model OWS / "Sec-CH-UA-Platform:" OWS Sec-CH-UA-Platform OWS / "Sec-CH-UA-Platform-Version:" OWS Sec-CH-UA-Platform-Version OWS / "Sec-GPC:" OWS Sec-GPC OWS / "Sec-CH-Prefers-Reduced-Motion:" OWS Sec-CH-Prefers-Reduced-Motion OWS',
+        # https://www.w3.org/TR/device-memory/#iana-device-memory
+        'Device-Memory = "0.25" / "0.5" / "1" / "2" / "4" / "8"',
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Downlink
+        # https://wicg.github.io/netinfo/#dom-networkinformation-downlink
+        "Downlink = sh-decimal",
+        # https://httpwg.org/specs/rfc8470.html#header
+        'Early-Data = "1"',
+        # https://wicg.github.io/netinfo/#ect-request-header-field
+        'ECT = "2g" / "3g" / "4g" / "slow-2g"',
+        # https://wicg.github.io/netinfo/#rtt-request-header-field
+        "RTT = 1*DIGIT",
+        # https://wicg.github.io/savedata/#save-data-request-header-field TODO Structured Headers RFC for sh-list
+        'Save-Data = "on" / sh-list',
+        # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-CH-UA
+        # TODO sf-list vs sh-list
+        "Sec-CH-UA = sh-list",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-arch
+        "Sec-CH-UA-Arch = sh-string",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-bitness
+        "Sec-CH-UA-Bitness = sh-string",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-form-factor
+        "Sec-CH-UA-Form-Factor = sh-string",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-full-version
+        "Sec-CH-UA-Full-Version = sh-string",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-full-version-list
+        "Sec-CH-UA-Full-Version-List = sh-list",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-mobile
+        "Sec-CH-UA-Mobile = sh-boolean",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-model
+        "Sec-CH-UA-Model = sh-string",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-platform
+        "Sec-CH-UA-Platform = sh-string",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-platform-version
+        "Sec-CH-UA-Platform-Version = sh-string",
+        # https://wicg.github.io/ua-client-hints/#sec-ch-ua-wow64
+        "Sec-CH-UA-WoW64 = sh-boolean",
+        # https://privacycg.github.io/gpc-spec/#the-sec-gpc-header-field-for-http-requests
+        'Sec-GPC = "1"',
+        # https://wicg.github.io/user-preference-media-features-headers/#sec-ch-prefers-reduced-motion
+        'Sec-CH-Prefers-Reduced-Motion = "no-preference" / "reduce"',
+    ]