Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

Commit

Permalink
Merge pull request #171 from remy/fix/ddos-on-3dotx
Browse files Browse the repository at this point in the history 
Fix minor DoS attack on long headers or uris.
  • Loading branch information
@hueniverse
hueniverse committed Jan 21, 2016
2 parents 66dd8f9 + bb5cf9c commit bef99ae
Show file tree
Hide file tree
Showing 5 changed files with 94 additions and 8 deletions.
5 changes: 4 additions & 1 deletion dist/client.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@

;

function _typeof(obj) { return obj && typeof Symbol !== "undefined" && obj.constructor === Symbol ? "symbol" : typeof obj; }
var _typeof = function (obj) {

return obj && typeof Symbol !== 'undefined' && obj.constructor === Symbol ? 'symbol' : typeof obj;
};

var Url = require('url');
var Hoek = require('hoek');
Expand Down
12 changes: 10 additions & 2 deletions lib/server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,11 @@ exports.header = function (credentials, artifacts, options) {
* 'hostHeaderName', 'localtimeOffsetMsec', 'host', 'port'
*/


// 1 2 3 4
internals.bewitRegex = /^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/;


exports.authenticateBewit = function (req, credentialsFunc, options, callback) {

callback = Hoek.nextTick(callback);
Expand All @@ -325,8 +330,11 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) {

// Extract bewit

// 1 2 3 4
var resource = request.url.match(/^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/);
if (request.url.length > Utils.limits.maxMatchLength) {
return callback(Boom.badRequest('Resource path exceeds max length'));
}

var resource = request.url.match(internals.bewitRegex);
if (!resource) {
return callback(Boom.unauthorized(null, 'Hawk'));
}
Expand Down
30 changes: 25 additions & 5 deletions lib/utils.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ exports.version = function () {
};


exports.limits = {
maxMatchLength: 4096 // Limit the length of uris and headers to avoid a DoS attack on string matching
};


// Extract host and port from request

// $1 $2
Expand All @@ -29,6 +34,10 @@ exports.parseHost = function (req, hostHeaderName) {
return null;
}

if (hostHeader.length > exports.limits.maxMatchLength) {
return null;
}

var hostParts = hostHeader.match(internals.hostHeaderRegex);
if (!hostParts) {
return null;
Expand Down Expand Up @@ -63,8 +72,11 @@ exports.parseRequest = function (req, options) {

// Obtain host and port information

if (!options.host || !options.port) {
var host = exports.parseHost(req, options.hostHeaderName);
var host;
if (!options.host ||
!options.port) {

host = exports.parseHost(req, options.hostHeaderName);
if (!host) {
return new Error('Invalid Host header');
}
Expand Down Expand Up @@ -95,6 +107,10 @@ exports.nowSecs = function (localtimeOffsetMsec) {
};


internals.authHeaderRegex = /^(\w+)(?:\s+(.*))?$/; // Header: scheme[ something]
internals.attributeRegex = /^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/; // !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9


// Parse Hawk HTTP Authorization header

exports.parseAuthorizationHeader = function (header, keys) {
Expand All @@ -105,7 +121,11 @@ exports.parseAuthorizationHeader = function (header, keys) {
return Boom.unauthorized(null, 'Hawk');
}

var headerParts = header.match(/^(\w+)(?:\s+(.*))?$/); // Header: scheme[ something]
if (header.length > exports.limits.maxMatchLength) {
return Boom.badRequest('Header length too long');
}

var headerParts = header.match(internals.authHeaderRegex);
if (!headerParts) {
return Boom.badRequest('Invalid header syntax');
}
Expand All @@ -131,9 +151,9 @@ exports.parseAuthorizationHeader = function (header, keys) {
return;
}

// Allowed attribute value characters: !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9
// Allowed attribute value characters

if ($2.match(/^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/) === null) {
if ($2.match(internals.attributeRegex) === null) {
errorMessage = 'Bad attribute value: ' + $1;
return;
}
Expand Down
27 changes: 27 additions & 0 deletions test/server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -970,6 +970,33 @@ describe('Server', function () {
});
});

describe('authenticateBewit()', function () {

it('errors on uri too long', function (done) {

var long = '/';
for (var i = 0; i < 5000; ++i) {
long += 'x';
}

var req = {
method: 'GET',
url: long,
host: 'example.com',
port: 8080,
authorization: 'Hawk id="1", ts="1353788437", nonce="k3j4h2", mac="zy79QQ5/EYFmQqutVnYb73gAc/U=", ext="hello"'
};

Hawk.server.authenticateBewit(req, credentialsFunc, {}, function (err, credentials, bewit) {

expect(err).to.exist();
expect(err.output.statusCode).to.equal(400);
expect(err.message).to.equal('Resource path exceeds max length');
done();
});
});
});

describe('authenticateMessage()', function () {

it('errors on invalid authorization (ts)', function (done) {
Expand Down
28 changes: 28 additions & 0 deletions test/utils.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,34 @@ describe('Utils', function () {
expect(host.name).to.equal('[123:123:123]');
done();
});

it('errors on header too long', function (done) {

var long = '';
for (var i = 0; i < 5000; ++i) {
long += 'x';
}

expect(Hawk.utils.parseHost({ headers: { host: long } })).to.be.null();
done();
});
});

describe('parseAuthorizationHeader()', function () {

it('errors on header too long', function (done) {

var long = 'Scheme a="';
for (var i = 0; i < 5000; ++i) {
long += 'x';
}
long += '"';

var err = Hawk.utils.parseAuthorizationHeader(long, ['a']);
expect(err).to.be.instanceof(Error);
expect(err.message).to.equal('Header length too long');
done();
});
});

describe('version()', function () {
Expand Down

0 comments on commit bef99ae

Please sign in to comment.