fix(l7): reject requests with both CL and TE headers in inference parser (CWE-444)#671
Open
latenighthackathon wants to merge 2 commits intoNVIDIA:mainfrom
Open
Conversation
…ser (CWE-444) The CL/TE desynchronisation guard added in NVIDIA#663 for the REST path was not applied to the inference request parser. A request containing both Content-Length and Transfer-Encoding headers could be interpreted differently by the proxy and the upstream server, enabling HTTP request smuggling (CWE-444, RFC 7230 Section 3.3.3). Add the same rejection check and two tests mirroring the REST parser coverage. Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
Align the CL+TE rejection message with rest.rs casing ("Request"
instead of "request") and add a te_substring_not_chunked test
verifying that partial Transfer-Encoding tokens like "chunkedx"
are not mistakenly treated as chunked.
Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
Contributor
Author
|
Self-review follow-up in
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The CL/TE desynchronisation guard added in #663 for the REST path was not applied to the inference request parser. A request containing both
Content-LengthandTransfer-Encodingheaders is silently accepted byinference.rs, withContent-Lengthignored in favour of chunked transfer-encoding. This enables HTTP request smuggling if an upstream server interprets the request viaContent-Lengthinstead (CWE-444, RFC 7230 Section 3.3.3).Related Issue
Closes #670
Follow-up to #663 / #637 — same vulnerability class, sister parser.
Changes
try_parse_http_request()after header parsing loop, returningParseResult::Invalidwhen bothis_chunkedandhas_content_lengthare true.reject_dual_content_length_and_transfer_encodingandreject_dual_transfer_encoding_and_content_lengthtests mirroring SEC-009 coverage inrest.rs.te_substring_not_chunkedtest verifying partial TE tokens likechunkedxare not treated as chunked.rest.rsconvention ("Request contains..."instead of"request contains...").Testing
mise run pre-commitpasses (no local Rust toolchain)Executed:
try_parse_http_request()logicinference.rs(byte string literals up to 152 chars are accepted bycargo fmt)Checklist