Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix http splitting vulnerabilities #24004

Merged
merged 1 commit into from
Dec 16, 2024
Merged

Fix http splitting vulnerabilities #24004

merged 1 commit into from
Dec 16, 2024

Conversation

auden-woolfson
Copy link
Contributor

@auden-woolfson auden-woolfson commented Nov 11, 2024
edited
Loading

Description

Dealing with vulnerabilities found in static scan labeled http splitting vulnerability

https://cwe.mitre.org/data/definitions/113.html

== RELEASE NOTES ==

General Changes
* Throw exception on invalid http headers in async page transport servlet. :pr:`24004`

@auden-woolfson auden-woolfson requested a review from a team as a code owner November 11, 2024 22:25
@auden-woolfson auden-woolfson changed the title fix AsyncPageTransportServlet issues fix http splitting vulnerabilities Nov 11, 2024
@steveburnett
Copy link
Contributor

Thanks for the release note entry! Suggest revising to follow the Order of changes in the Release Notes Guidelines. Maybe something like?

== RELEASE NOTES ==

General Changes
* Improve HTTP responses from async page transport servlet, by sanitizing the URI before use. :pr:`24004`

Please revise my suggestion if my phrasing doesn't correctly describe the work you've done.

@auden-woolfson auden-woolfson force-pushed the fix_http_splitting_vulnerabilities branch from a2f47a6 to d6b4b9e Compare November 19, 2024 19:34
@auden-woolfson auden-woolfson changed the title fix http splitting vulnerabilities Fix http splitting vulnerabilities Nov 19, 2024
@auden-woolfson auden-woolfson force-pushed the fix_http_splitting_vulnerabilities branch from d6b4b9e to 8090138 Compare November 21, 2024 21:04
@tdcmeehan tdcmeehan added the from:IBM PR from IBM label Nov 22, 2024
@prestodb-ci prestodb-ci requested review from a team, pdabre12 and czentgr and removed request for a team November 22, 2024 16:00
ZacBlanco
ZacBlanco requested changes Dec 3, 2024
View reviewed changes
Copy link
Contributor

@ZacBlanco ZacBlanco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to write a test which can verify the new behavior?

@auden-woolfson auden-woolfson force-pushed the fix_http_splitting_vulnerabilities branch from bbcb63e to a329169 Compare December 3, 2024 22:14
pdabre12
pdabre12 reviewed Dec 10, 2024
View reviewed changes
Copy link
Contributor

@pdabre12 pdabre12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @auden-woolfson.
I have an initial comment.

presto-main/src/main/java/com/facebook/presto/server/AsyncPageTransportServlet.java Outdated Show resolved Hide resolved
@auden-woolfson auden-woolfson force-pushed the fix_http_splitting_vulnerabilities branch 2 times, most recently from 194475e to b3bd151 Compare December 12, 2024 19:02
ZacBlanco
ZacBlanco previously approved these changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@ZacBlanco ZacBlanco left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this approach is fine, but I wonder how much overhead this has. I'm curious about the impact on request throughput now that we're doing this additional header validation. I'm sure it won't be too high, but if we somehow happen to be sending tons of headers, it could slow things down. A microbenchmark would be nice, but not necessary

pdabre12
pdabre12 previously approved these changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@pdabre12 pdabre12 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please squash the commits.

@auden-woolfson auden-woolfson force-pushed the fix_http_splitting_vulnerabilities branch from 97ec9ff to 1b5b26e Compare December 12, 2024 20:22
@ZacBlanco
Copy link
Contributor

The release note doesn't seem quite accurate

  • Improve HTTP responses from async page transport servlet, by sanitizing the URI before use. :pr:24004

We're not really "sanitizing" since we throw an exception. Also, we check the headers only, not the URI. Can you please update it to match? Additionally, is there an associated CVE for this? Or was this some generic check by the security scan? If there is a CVE related, please reference/link it

@auden-woolfson auden-woolfson force-pushed the fix_http_splitting_vulnerabilities branch from 1b5b26e to 11c896f Compare December 12, 2024 22:41
@auden-woolfson auden-woolfson force-pushed the fix_http_splitting_vulnerabilities branch from 11c896f to 1b8716d Compare December 13, 2024 19:13
@tdcmeehan tdcmeehan merged commit 6bce6c2 into prestodb:master Dec 16, 2024
57 checks passed
This was referenced Jan 28, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@czentgr czentgr czentgr left review comments

@ZacBlanco ZacBlanco ZacBlanco approved these changes

@tdcmeehan tdcmeehan tdcmeehan approved these changes

@pdabre12 pdabre12 pdabre12 approved these changes

@presto-oss presto-oss Awaiting requested review from presto-oss presto-oss is a code owner automatically assigned from prestodb/committers

@jaystarshot jaystarshot Awaiting requested review from jaystarshot jaystarshot is a code owner

@feilong-liu feilong-liu Awaiting requested review from feilong-liu feilong-liu is a code owner

@elharo elharo Awaiting requested review from elharo elharo is a code owner

@ClarenceThreepwood ClarenceThreepwood Awaiting requested review from ClarenceThreepwood ClarenceThreepwood is a code owner

Assignees
No one assigned
Labels
from:IBM PR from IBM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@auden-woolfson @steveburnett @ZacBlanco @tdcmeehan @pdabre12 @czentgr