Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block requests with multiple Host headers #1060

Merged
merged 3 commits into from
May 26, 2021
Merged

Block requests with multiple Host headers #1060

merged 3 commits into from
May 26, 2021

Conversation

jfernandez
Copy link
Contributor

No description provided.

carl-mastrangelo
carl-mastrangelo reviewed May 12, 2021
View reviewed changes
zuul-core/src/main/java/com/netflix/zuul/netty/server/ClientRequestReceiver.java Outdated
} else if (zuulRequest.getHeaders().getAll(HttpHeaderNames.HOST.toString()).size() > 1) {
LOG.debug(
"Duplicate Host headers. clientRequest = {} , uri = {}, info = {}",
clientRequest.toString(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/.toString()//

carl-mastrangelo
carl-mastrangelo approved these changes May 12, 2021
View reviewed changes
Copy link
Contributor

@carl-mastrangelo carl-mastrangelo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

argha-c
argha-c reviewed May 12, 2021
View reviewed changes
zuul-core/src/main/java/com/netflix/zuul/netty/server/ClientRequestReceiver.java
zuulRequest.getContext(),
ZuulStatusCategory.FAILURE_CLIENT_BAD_REQUEST);
zuulRequest.getContext().setError(ze);
zuulRequest.getContext().setShouldSendErrorResponse(true);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will continue the filter chain processing, and actually write a response to the client.
Is that desirable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I believe so, but interested in hearing your thoughts. The other option would be to close the connection without a response (we do this a few lines above). It seems best to let the client know what they did wrong.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not aware of a good spec for this case.
My general preference is to not continue filter processing and expend resources writing back a response, when we treat a request as malicious.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this change, I'm inclined to provide the client a 400 response given that it could impact non-malicious requests. For example, a client or upstream proxy may be accidentally adding the Host header twice. Closing the connection without a response would make it very difficult to troubleshoot this change when it rolls out. I think the better client experience outweighs the extra resource spend here.

@jfernandez jfernandez changed the title Block requests with duplicate Host headers Block requests with multiple Host headers May 26, 2021
argha-c
argha-c reviewed May 26, 2021
View reviewed changes
zuul-core/src/main/java/com/netflix/zuul/netty/server/ClientRequestReceiver.java
@@ -159,6 +158,19 @@ private void channelReadInternal(final ChannelHandlerContext ctx, Object msg) th
ZuulStatusCategory.FAILURE_CLIENT_BAD_REQUEST);
zuulRequest.getContext().setError(ze);
zuulRequest.getContext().setShouldSendErrorResponse(true);
} else if (zuulRequest.getHeaders().getAll(HttpHeaderNames.HOST.toString()).size() > 1) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be HOST.getName()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HOST is an AsciiString, that method doesn't resolve for it.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

edit: com.netflix.zuul.message.http.HttpHeaderNames

@jfernandez jfernandez merged commit 849a388 into Netflix:master May 26, 2021
@jfernandez jfernandez deleted the jfernandez/duplicate-host-headers branch May 26, 2021 21:17
@sullis sullis mentioned this pull request Mar 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@argha-c argha-c argha-c approved these changes

@carl-mastrangelo carl-mastrangelo carl-mastrangelo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jfernandez @argha-c @carl-mastrangelo