Fix minor DoS attack on long headers or uris.

Related to #168 Supports the fix on the 3.x branch allowing for https://github.com/request/request to pick up the fix in 3.1.x Fixes request/request#2020
mozilla · Jan 20, 2016 · ccebde4 · ccebde4
1 parent 66dd8f9
commit ccebde4
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 7 deletions.
diff --git a/lib/server.js b/lib/server.js
@@ -308,6 +308,11 @@ exports.header = function (credentials, artifacts, options) {
  * 'hostHeaderName', 'localtimeOffsetMsec', 'host', 'port'
  */
 
+
+//                       1     2             3           4
+internals.bewitRegex = /^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/;
+
+
 exports.authenticateBewit = function (req, credentialsFunc, options, callback) {
 
     callback = Hoek.nextTick(callback);
@@ -325,8 +330,11 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) {
 
     // Extract bewit
 
-    //                                 1     2             3           4
-    var resource = request.url.match(/^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/);
+    if (request.url.length > Utils.limits.maxMatchLength) {
+        return callback(Boom.badRequest('Resource path exceeds max length'));
+    }
+
+    var resource = request.url.match(internals.bewitRegex);
     if (!resource) {
         return callback(Boom.unauthorized(null, 'Hawk'));
     }

diff --git a/lib/utils.js b/lib/utils.js
@@ -15,6 +15,11 @@ exports.version = function () {
 };
 
 
+exports.limits = {
+    maxMatchLength: 4096            // Limit the length of uris and headers to avoid a DoS attack on string matching
+};
+
+
 // Extract host and port from request
 
 //                                            $1                            $2
@@ -29,6 +34,10 @@ exports.parseHost = function (req, hostHeaderName) {
         return null;
     }
 
+    if (hostHeader.length > exports.limits.maxMatchLength) {
+        return null;
+    }
+
     var hostParts = hostHeader.match(internals.hostHeaderRegex);
     if (!hostParts) {
         return null;
@@ -63,8 +72,11 @@ exports.parseRequest = function (req, options) {
 
     // Obtain host and port information
 
-    if (!options.host || !options.port) {
-        var host = exports.parseHost(req, options.hostHeaderName);
+    var host;
+    if (!options.host ||
+        !options.port) {
+
+        host = exports.parseHost(req, options.hostHeaderName);
         if (!host) {
             return new Error('Invalid Host header');
         }
@@ -95,6 +107,10 @@ exports.nowSecs = function (localtimeOffsetMsec) {
 };
 
 
+internals.authHeaderRegex = /^(\w+)(?:\s+(.*))?$/;                                      // Header: scheme[ something]
+internals.attributeRegex = /^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/;   // !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9
+
+
 // Parse Hawk HTTP Authorization header
 
 exports.parseAuthorizationHeader = function (header, keys) {
@@ -105,7 +121,11 @@ exports.parseAuthorizationHeader = function (header, keys) {
         return Boom.unauthorized(null, 'Hawk');
     }
 
-    var headerParts = header.match(/^(\w+)(?:\s+(.*))?$/);       // Header: scheme[ something]
+    if (header.length > exports.limits.maxMatchLength) {
+        return Boom.badRequest('Header length too long');
+    }
+
+    var headerParts = header.match(internals.authHeaderRegex);
     if (!headerParts) {
         return Boom.badRequest('Invalid header syntax');
     }
@@ -131,9 +151,9 @@ exports.parseAuthorizationHeader = function (header, keys) {
             return;
         }
 
-        // Allowed attribute value characters: !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9
+        // Allowed attribute value characters
 
-        if ($2.match(/^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/) === null) {
+        if ($2.match(internals.attributeRegex) === null) {
             errorMessage = 'Bad attribute value: ' + $1;
             return;
         }