DefaultHTTPUtility uses hard coded Header name/value lengths #656
Comments
|
I genuinely thought I had found all the ways that was being set. Kinda crazy it took 4yrs for someone to bring up. |
|
@Criptak - Good catch. |
|
Yeah, I'll try to take a deeper sweep to see if there's anything else I might have missed. And of course yes, I'll get them under test. |
|
FWIW I thought I had done a grep for "addHeader" and so I feel I should have snagged this one. |
|
Hi, |
|
It'll be changed to be user-configurable. I will bump the default value to 1024--somewhat arbitrary but in my experience cookies larger than 500 chars are rare. I question cookie lengths of 5K as you're suggesting. That sounds like something weird is going on. But the limit will be configurable so if you want 5000 you can set it. |
|
I think there is a maximum length for all the cookies...something around 4K IIRC. So if you set something like 5000 per cookie, you're probably only asking for trouble. I suggest making it pick up the values from ESAPI's properties (Validator.HTTPCookieName, and Validator.HTTPCookieValue). You may also want to change the regex for Validator.HTTPCookieName to bump the max cookie length from 32 to 50. |
|
Okay so @Criptak and @kwojcikowski --Just so we're clear, the current codebase says this:
So, I'm thinking that if you update to use the most recent version of ESAPI, you are already covered. @kwwall just so you know we've had a default max cookie value of 4096 going back at least 12yrs. (I didn't push further than that.) See line 41 in HTTPUtilities.java. |
|
I think (at least 12 years ago), 4K was the limitation for most browsers and was taken from RFC 2109. That # may have changed. The latest (draft) RFC for "HTTP State Management" is RFC 6265. Also, I grepped for MAX_COOKIE_LEN and the only place we use that is when dealing with encrypted cookies in the DefaultHTTPUtilities.encryptStateInCookie(). Was a bit surprised that was the only place that 4K value seems to be reflected. |
|
I found the same thing, I wasn't sure if you felt that should be parameterized or left compilation-only for crypto purposes? |
|
If we start using it more widely, it definitely should be parameterized. We should also look at the RFC to see if the value has increased. It likely has. |
…663) * Signed key history for MATT SEIL begins here. * Signed key history for MATT SEIL begins here. Fixed email typo. * Revert "Signed key history for MATT SEIL begins here. Fixed email typo." This reverts commit 87c4c4e. * created file on main. * Deleted foo.txt * #661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'. * Updated to AntiSamy 1.6.5. * Revert "#661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'." This reverts commit 9fa2a53. * #656 --> Parameterized cookie name length and value to correspond with the HTTP maxes defined in esapi.properties. * Adjusted regex to allow for zero-length matches. * Added per review comments for PR #663 Co-authored-by: Matt Seil <xeno6696[at]gmail.com>
|
Hi @xeno6696, |
|
@kwojcikowski I'll get those propagated as well, there were a few spots where that got missed. Appreciate the assist. |
|
Yeah, the HTTPUtilities class didn't have any unit tests, the only ones that exist now are ones that I built back when I made this initial parameterization adjustment. Clearly I felt rushed. I will generate another issue to ensure that the whole class is properly tested. Much of this had to be mocked, and so it'll also be good to review my old tests to ensure they're actually testing things. I'm always cautious with mocks. |
|
I'm gonna take that back. It had some unit tests, using mock classes. (back before Mockito/PowerMock.) The tests feel muddy here. There's functionality getting tested in HTTPUtilitiesTest that should probably be back in the Validator tests. Not sure I want to tackle that as part of this issue however. |
|
So mocking the addHeader from the HTTPUtilities test is a bit much in regards to mock setup, but the following unit test covers what we're after. |
* Signed key history for MATT SEIL begins here. * Signed key history for MATT SEIL begins here. Fixed email typo. * Revert "Signed key history for MATT SEIL begins here. Fixed email typo." This reverts commit 87c4c4e. * created file on main. * Deleted foo.txt * Bump release to new patch version #. * #661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'. * Updated to AntiSamy 1.6.5. * Revert "#661 Added ability to generate OSGi metadata with the command 'mvn org.apache.felix:maven-bundle-plugin:manifest'." This reverts commit 9fa2a53. * #656 --> Parameterized cookie name length and value to correspond with the HTTP maxes defined in esapi.properties. * Adjusted regex to allow for zero-length matches. * Added per review comments for PR #663 * #656 Finished sweep looking for headername, headervalue, and header value sizes as well as the 'Cookie' versions of those statements. Added unit tests. * #663 Fixed a missed unit test. * Antisamy 1.6.6, Antisamy regression test for analysis 1. A handful of new regression tests for other purposes in validation and encoder tests. * Attempting to fix classfile differences with antisamy dependencies. * Fixed typo on exclusion. * Added xerces exclusion to antisamy in the pom.xml * Added test cases 2 & 3. * Added test cases 2 & 3. @ignore on test case 3 from AntiSamy as the DOS is still present. * Forced my version to match Wichers. * Added a pair of unit tests for canoncialization to prove out an issue opened up on github. One of which however reminded me that we need a codec to account for UTF-8 encoding/decoding. Co-authored-by: Matt Seil <xeno6696[at]gmail.com> Co-authored-by: kwwall <kevin.w.wall@gmail.com>
Generates an error when adding a
headerviaDefaultHTTPUtilities:org.owasp.esapi.errors.ValidationException: addHeader: Invalid input. The maximum length of 20 characters was exceeded.
esapi-java-legacy/src/main/java/org/owasp/esapi/reference/DefaultHTTPUtilities.java
Line 240 in 19e8341
The DefaultHTTPUtility uses hard coded Header name/value lengths rather than reference the
MaxHeaderNameSizeandMaxHeaderValueSizeset in properties. This should either be updated to reference the SecurityConfiguration similar to the SecurityWrapperResponse,esapi-java-legacy/src/main/java/org/owasp/esapi/filters/SecurityWrapperResponse.java
Line 182 in 19e8341
The text was updated successfully, but these errors were encountered: