Skip to content

Updated rule-RequestParamToHeader.yml

Chathumina Vimukthi requested to merge feat/issue-433047/RequestParamToHeader into main

Updated rule-RequestParamToHeader.yml sanitizer regex to identify carriage return and line feed characters, added sinks and generalized namespaces.

Issue - gitlab-org/gitlab#433047 (closed)

Findings -

  • Tomcat versions above 8.0 adhere to the HTTP/1.1 standard, so it would not allow \r\n in header values. (https://bz.apache.org/bugzilla/show_bug.cgi?id=45180) (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html)
  • Got the below error on tomcat. Invalid character found in the request target [/Servlets-Sample/RequestParamToHeader?input=test\\r\\ning&type=d ]. The valid characters are defined in RFC 7230 and RFC 3986
  • It’s intriguing to note that during testing with Jetty 9.4, it was observed that \r\n was permissible in header values, even though cookies did not allow values with \r\n. For cookies with \r\n values got the below error. RFC6265 Cookie values may not contain character: \[\\\]

Conclusion - Vulnerability is heavily dependent on the deployed container.

Merge request reports