Merge pull request from GHSA-84j7-475p-hp8v

nateberkopec · web-flow · commit c36491756f68 · 2020-02-27T11:52:27.000-06:00
header value could inject a CR or LF and inject their own HTTP response.
diff --git a/benchmarks/wrk/hello.sh b/benchmarks/wrk/hello.sh
@@ -3,6 +3,6 @@
 bundle exec bin/puma -t 4 test/rackup/hello.ru &
 PID1=$!
 sleep 5
-wrk -c 4 --latency http://localhost:9292
+wrk -c 4 -d 30 --latency http://localhost:9292
 
 kill $PID1
diff --git a/benchmarks/wrk/many_long_headers.sh b/benchmarks/wrk/many_long_headers.sh
@@ -0,0 +1,6 @@
+bundle exec bin/puma -t 4 test/rackup/many_long_headers.ru &
+PID1=$!
+sleep 5
+wrk -c 4 -d 30 --latency http://localhost:9292
+
+kill $PID1
diff --git a/benchmarks/wrk/realistic_response.sh b/benchmarks/wrk/realistic_response.sh
@@ -0,0 +1,6 @@
+bundle exec bin/puma -t 4 test/rackup/realistic_response.ru &
+PID1=$!
+sleep 5
+wrk -c 4 -d 30 --latency http://localhost:9292
+
+kill $PID1
diff --git a/lib/puma/const.rb b/lib/puma/const.rb
@@ -228,6 +228,7 @@ module Const
     COLON = ": ".freeze
 
     NEWLINE = "\n".freeze
+    CRLF_REGEX = /[\r\n]/.freeze
 
     HIJACK_P = "rack.hijack?".freeze
     HIJACK = "rack.hijack".freeze
diff --git a/lib/puma/server.rb b/lib/puma/server.rb
@@ -686,6 +686,8 @@ def handle_request(req, lines)
           status, headers, res_body = @app.call(env)
 
           return :async if req.hijacked
+          # Checking to see if an attacker is trying to inject headers into the response
+          headers.reject! { |_k, v| CRLF_REGEX =~ v.to_s }
 
           status = status.to_i
 
diff --git a/test/rackup/many_long_headers.ru b/test/rackup/many_long_headers.ru
@@ -0,0 +1,9 @@
+require 'securerandom'
+
+long_header_hash = {}
+
+30.times do |i|
+  long_header_hash["X-My-Header-#{i}"] = SecureRandom.hex(1000)
+end
+
+run lambda { |env| [200, long_header_hash, ["Hello World"]] }
diff --git a/test/rackup/realistic_response.ru b/test/rackup/realistic_response.ru
@@ -0,0 +1,11 @@
+require 'securerandom'
+
+long_header_hash = {}
+
+25.times do |i|
+  long_header_hash["X-My-Header-#{i}"] = SecureRandom.hex(25)
+end
+
+response = SecureRandom.hex(100_000) # A 100kb document
+
+run lambda { |env| [200, long_header_hash.dup, [response.dup]] }
diff --git a/test/test_puma_server.rb b/test/test_puma_server.rb
@@ -771,4 +771,23 @@ def test_open_connection_wait_no_queue
     @server = Puma::Server.new @app, @events, queue_requests: false
     test_open_connection_wait
   end
+
+  # https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16
+  def test_prevent_response_splitting_headers
+    server_run app: ->(_) { [200, {'X-header' => "malicious\r\nCookie: hack"}, ["Hello"]] }
+    data = send_http_and_read "HEAD / HTTP/1.0\r\n\r\n"
+    refute_match 'hack', data
+  end
+
+  def test_prevent_response_splitting_headers_cr
+    server_run app: ->(_) { [200, {'X-header' => "malicious\rCookie: hack"}, ["Hello"]] }
+    data = send_http_and_read "HEAD / HTTP/1.0\r\n\r\n"
+    refute_match 'hack', data
+  end
+
+  def test_prevent_response_splitting_headers_lf
+    server_run app: ->(_) { [200, {'X-header' => "malicious\nCookie: hack"}, ["Hello"]] }
+    data = send_http_and_read "HEAD / HTTP/1.0\r\n\r\n"
+    refute_match 'hack', data
+  end
 end
