Starlet HTTP Smuggling Vulnerability Fix and POC

### Vulnerability Overview This vulnerability involves HTTP Smuggling, specifically manifesting as an issue where the server may fail to correctly parse requests containing multiple `Transfer-Encoding` and `Content-Length` headers, leading to potential security risks. ### Scope of Impact - **Affected File**: `lib/Starlet/Server.pm` - **Affected Versions**: From `001342` to `006402a` - **Specific Behavior**: When a request contains multiple `Transfer-Encoding` and `Content-Length` headers, the server may incorrectly process these headers, resulting in request smuggling. ### Remediation 1. **Modify `lib/Starlet/Server.pm`**: - In the `handle_connection` method, add checks for `Transfer-Encoding` and `Content-Length` headers. - If multiple `Transfer-Encoding` or `Content-Length` headers are detected, return a `400 Bad Request` error. 2. **Add Test Cases**: - Create new test files `b/t/16smuggling-content-length-and-transfer-encoding.t` and `b/t/16smuggling-multiple-content-length-header.t` to verify the behavior after the fix. ### POC Code Below is the key code snippet after the fix: ```perl # lib/Starlet/Server.pm sub handle_connection { my $self = shift; my $conn = shift; # ... existing code ... if ($conn->{HTTP_TRANSFER_ENCODING} eq 'chunked') { # ... existing code ... } if ($conn->{HTTP_EXPECT}) { if ($conn->{HTTP_EXPECT} eq '100-continue') { $self->write_all($conn, "HTTP/1.1 100 Continue\r\n\r\n"); } } if ($conn->{CONTENT_LENGTH}) { if ($conn->{CONTENT_LENGTH} !~ /^[0-9]+$/) { $self->write_all($conn, "HTTP/1.1 400 Bad Request\r\n\r\n"); return; } } # ... existing code ... } ``` ### Test Cases Below are the newly added test case codes: ```perl # b/t/16smuggling-content-length-and-transfer-encoding.t use strict; use warnings; use Test::More; use Plack::Test; use HTTP::Message; use IO::Socket::INET; my $app = sub { my $env = shift; my $body = ''; my $clen = $env->{CONTENT_LENGTH}; while ($clen > 0) { $clen -= $env->{pgi}->input()->read($buf, $clen) || last; $body .= $buf; } return [ 200, { 'Content-Type' => 'text/plain', 'X-Content-Length' => $env->{CONTENT_LENGTH} }, [ $body ] ]; }; my $server = Plack::Test->create($app); my $sock = IO::Socket::INET->new( PeerAddr => '127.0.0.1', PeerPort => $server->port, Proto => 'tcp', ); print $sock "GET / HTTP/1.1\r\n" . "Content-Length: 3\r\n" . "Transfer-Encoding: chunked\r\n" . "Connection: close\r\n" . "\r\n" . "0\r\n" . "\r\n"; my $res = do { local $/; }; my @status_line = split(/\r\n/, $res, 2); is $status_line[0], 'HTTP/1.1 400 Bad Request'; done_testing(); ``` ```perl # b/t/16smuggling-multiple-content-length-header.t use strict; use warnings; use Test::More; use Plack::Test; use HTTP::Message; use IO::Socket::INET; my $app = sub { my $env = shift; my $body = ''; my $clen = $env->{CONTENT_LENGTH}; while ($clen > 0) { $clen -= $env->{pgi}->input()->read($buf, $clen) || last; $body .= $buf; } return [ 200, { 'Content-Type' => 'text/plain', 'X-Content-Length' => $env->{CONTENT_LENGTH} }, [ $body ] ]; }; my $server = Plack::Test->create($app); my $sock = IO::Socket::INET->new( PeerAddr => '127.0.0.1', PeerPort => $server->port, Proto => 'tcp', ); print $sock "GET / HTTP/1.1\r\n" . "Content-Length: 3\r\n" . "Content-Length: 9\r\n" . "Connection: close\r\n" . "\r\n" . "123456789"; my $res = do { local $/; }; my @status_line = split(/\r\n/, $res, 2); is $status_line[0], 'HTTP/1.1 400 Bad Request'; done_testing(); ``` The above code demonstrates how to detect and prevent HTTP smuggling vulnerabilities, and verifies the effectiveness of the fix through test cases.

Goal Reached Thanks to every supporter — we hit 100%!

Starlet HTTP Smuggling Vulnerability Fix and POC

More from this source