Updated rule-RequestParamToHeader.yml
Updated rule-RequestParamToHeader.yml sanitizer regex to identify carriage return and line feed characters, added sinks and generalized namespaces.
Issue - gitlab-org/gitlab#433047 (closed)
Findings -
- Tomcat versions above 8.0 adhere to the HTTP/1.1 standard, so it would not allow \r\n in header values. (https://bz.apache.org/bugzilla/show_bug.cgi?id=45180) (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html)
- Got the below error on tomcat.
Invalid character found in the request target [/Servlets-Sample/RequestParamToHeader?input=test\\r\\ning&type=d ]. The valid characters are defined in RFC 7230 and RFC 3986
- It’s intriguing to note that during testing with Jetty 9.4, it was observed that \r\n was permissible in header values, even though cookies did not allow values with \r\n. For cookies with \r\n values got the below error.
RFC6265 Cookie values may not contain character: \[\\\]
Conclusion - Vulnerability is heavily dependent on the deployed container.