Skip to content

DB-4068 cherry-pick upstream HttpRequest/ObjectDecoder fixes (4.1.34/bdp master) #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 8, 2020
Merged

DB-4068 cherry-pick upstream HttpRequest/ObjectDecoder fixes (4.1.34/bdp master) #21

merged 5 commits into from
Apr 8, 2020

Conversation

dalaro
Copy link

@dalaro dalaro commented Mar 30, 2020

https://datastax.jira.com/browse/DB-4068

This is similar to #20, except this PR skips the first two cherries in that one's sequence (already applied upstream between 4.1.25 and 4.1.34).

idelpivnitskiy and others added 4 commits March 30, 2020 13:46
@idelpivnitskiy @dalaro
Use AppendableCharSequence.charAtUnsafe(int) in HttpObjectDecoder (
7eac8fb 
…netty#9492)

Motivation:

`HttpObjectDecoder` pre-checks that it doesn't request characters
outside of the `AppendableCharSequence`'s length. `0` is always allowed
because the minimal length of `AppendableCharSequence` is `1`. We can
legally skip index check by using
`AppendableCharSequence.charAtUnsafe(int)` in all existing cases in
`HttpObjectDecoder`.

Modifications:

- Use `AppendableCharSequence.charAtUnsafe(int)` instead of
`AppendableCharSequence.charAt(int)` in `HttpObjectDecoder`.

Result:

No unnecessary index checks in `HttpObjectDecoder`.

(cherry picked from commit 85fcf4e)
@normanmaurer @dalaro
Correctly handle whitespaces in HTTP header names as defined by RFC72…
55b7c07 
…30#section-3.2.4 (netty#9585)

Motivation:

When parsing HTTP headers special care needs to be taken when a whitespace is detected in the header name.

Modifications:

- Ignore whitespace when decoding response (just like before)
- Throw exception when whitespace is detected during parsing
- Add unit tests

Result:

Fixes netty#9571

(cherry picked from commit 39cafcb)
@normanmaurer @dalaro
Detect missing colon when parsing http headers with no value (netty#9871
18ce1ac 
)

Motivation:

Technical speaking its valid to have http headers with no values so we should support it. That said we need to detect if these are "generated" because of an "invalid" fold.

Modifications:

- Detect if a colon is missing when parsing headers.
- Add unit test

Result:

Fixes netty#9866

(cherry picked from commit a7c18d4)
@normanmaurer @dalaro
Verify we do not receive multiple content-length headers or a content…
db07502 
…-length and transfer-encoding: chunked header when using HTTP/1.1 (netty#9865)

Motivation:

RFC7230 states that we should not accept multiple content-length headers and also should not accept a content-length header in combination with transfer-encoding: chunked

Modifications:

- Check for multiple content-length headers and if found mark message as invalid
- Check if we found a content-length header and also a transfer-encoding: chunked and if so mark the message as invalid
- Add unit test

Result:

Fixes netty#9861

(cherry picked from commit 8494b04)
@dalaro dalaro changed the title DB-4068 cherry-pick upstream HttpRequest/ObjectDecoder fixes (4.1.25/bdp master) DB-4068 cherry-pick upstream HttpRequest/ObjectDecoder fixes (4.1.34/bdp master) Mar 30, 2020
jtgrabowski
jtgrabowski reviewed Apr 3, 2020
View reviewed changes
Copy link

@jtgrabowski jtgrabowski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 once all the references to old version (4.1.34.2.dse) are changed

@dalaro
Version bump to 4.1.34.3.dse
55207c3 
Compared against 4.1.34.2.dse, this tag cherry-picks upstream commits
that fixed bugs in HttpObjectDecoder/HttpRequestDecoder, plus two
intermediate refactoring commits that indirectly affect those bugfix
commits.

What follows is a list of PR links, issue links, CVE links, and hashes
associated with the cherry-picked commits.

Verify we do not receive multiple content-length headers or a content-length and transfer-encoding: chunked header when using HTTP/1.1 (netty#9865)
	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7238
	netty#9861
	netty#9865

	8494b04

Detect missing colon when parsing http headers with no value (netty#9871)
	https://nvd.nist.gov/vuln/detail/CVE-2019-20444
	netty#9866
	netty#9871

	a7c18d4

Fix typos in javadocs (netty#9527)
	skipped

Correctly handle whitespaces in HTTP header names as defined by RFC7230#section-3.2.4 (netty#9585)
	https://nvd.nist.gov/vuln/detail/CVE-2019-16869
	netty#9571
	netty#9585

	39cafcb

Use `AppendableCharSequence.charAtUnsafe(int)` in `HttpObjectDecoder` (netty#9492)
	netty#9492

	85fcf4e
@dalaro dalaro force-pushed the dse-netty-4.1.34.Final-with-DB-4068 branch from 6cfbaf3 to 55207c3 Compare April 7, 2020 11:33
@dalaro
Copy link
Author

dalaro commented Apr 7, 2020

I've force-pushed an amended tip-commit updating the bom/pom.xml <version> and deleting <scm><tag> versions. This amendment is structurally identical to the one described here: #22 (comment).

@jtgrabowski jtgrabowski merged commit e50eb60 into riptano:dse-netty-4.1.34.Final Apr 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jtgrabowski jtgrabowski jtgrabowski left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dalaro @jtgrabowski @idelpivnitskiy @normanmaurer