[PATCH 0/3] http: some DoS prevention

[PATCH 0/3] http: some DoS prevention

[Eric Wong]

Since public-inbox-httpd is may face untrusted clients directly
without a reverse proxy like haproxy/nginx; we should have some
basic protection to avoid DoS attacks involving excessive
resource use.

Eric Wong (3):
      http: reject excessive headers
      http: ensure errors are printable before PSGI env
      http: reject excessively large HTTP request bodies

 lib/PublicInbox/HTTP.pm | 23 ++++++++++++++++++++---
 t/httpd-corner.t        | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+), 3 deletions(-)

[PATCH 1/3] http: reject excessive headers

[Eric Wong]

HTTP::Parser::XS::PP does not reject excessively large
headers like the XS version.  Ensure we reject headers
over 16K since public-inbox should never need such large
request headers.
---
 lib/PublicInbox/HTTP.pm |  6 +++++-
 t/httpd-corner.t        | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm
index 6c4c20d..8988e7d 100644
--- a/lib/PublicInbox/HTTP.pm
+++ b/lib/PublicInbox/HTTP.pm
@@ -70,7 +70,11 @@ sub rbuf_process {
 
 	# We do not support Trailers in chunked requests, for now
 	# (they are rarely-used and git (as of 2.7.2) does not use them)
-	return quit($self, 400) if $r == -1 || $env{HTTP_TRAILER};
+	if ($r == -1 || $env{HTTP_TRAILER} ||
+			# this length-check is necessary for PURE_PERL=1:
+			($r == -2 && length($self->{rbuf}) > 0x4000)) {
+		return quit($self, 400);
+	}
 	return $self->watch_read(1) if $r < 0; # incomplete
 	$self->{rbuf} = substr($self->{rbuf}, $r);
 
diff --git a/t/httpd-corner.t b/t/httpd-corner.t
index 833eb42..8670846 100644
--- a/t/httpd-corner.t
+++ b/t/httpd-corner.t
@@ -84,6 +84,18 @@ my $spawn_httpd = sub {
 	is($body, "hello world\n", 'callback body matches expected');
 }
 
+{
+	my $conn = conn_for($sock, 'excessive header');
+	$SIG{PIPE} = 'IGNORE';
+	$conn->write("GET /callback HTTP/1.0\r\n");
+	foreach my $i (1..500000) {
+		last unless $conn->write("X-xxxxxJunk-$i: omg\r\n");
+	}
+	ok(!$conn->write("\r\n"), 'broken request');
+	ok($conn->read(my $buf, 8192), 'read response');
+	my ($head, $body) = split(/\r\n\r\n/, $buf);
+	like($head, qr/\b400\b/, 'got 400 response');
+}
 
 # Unix domain sockets
 {
-- 
EW

[PATCH 2/3] http: ensure errors are printable before PSGI env

[Eric Wong]

We cannot rely on a client socket having a PSGI env before headers
are fully-parsed as we seek to avoid storing hashes for idle
clients.  Sso print errors to the psgi.errors value which belongs to
the httpd listener, instead.
---
 lib/PublicInbox/HTTP.pm | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm
index 8988e7d..15db139 100644
--- a/lib/PublicInbox/HTTP.pm
+++ b/lib/PublicInbox/HTTP.pm
@@ -251,7 +251,7 @@ sub env_chunked { ($_[0]->{HTTP_TRANSFER_ENCODING} || '') =~ /\bchunked\b/i }
 
 sub write_err {
 	my ($self) = @_;
-	my $err = $self->{env}->{'psgi.errors'};
+	my $err = $self->{httpd}->{env}->{'psgi.errors'};
 	my $msg = $! || '(zero write)';
 	$err->print("error buffering to input: $msg\n");
 	quit($self, 500);
@@ -264,7 +264,7 @@ sub recv_err {
 		$self->{input_left} = $len;
 		return;
 	}
-	my $err = $self->{env}->{'psgi.errors'};
+	my $err = $self->{httpd}->{env}->{'psgi.errors'};
 	$err->print("error reading for input: $! ($len bytes remaining)\n");
 	quit($self, 500);
 }
-- 
EW

[PATCH 3/3] http: reject excessively large HTTP request bodies

[Eric Wong]

We cannot risk using all of a users' disk space buffering
gigantic requests.  Use the defaults git gives us since
we primarily host git repositories.
---
 lib/PublicInbox/HTTP.pm | 13 +++++++++++++
 t/httpd-corner.t        | 21 +++++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/lib/PublicInbox/HTTP.pm b/lib/PublicInbox/HTTP.pm
index 15db139..0675f6a 100644
--- a/lib/PublicInbox/HTTP.pm
+++ b/lib/PublicInbox/HTTP.pm
@@ -24,6 +24,12 @@ use constant {
 	CHUNK_MAX_HDR => 256,
 };
 
+# Use the same configuration parameter as git since this is primarily
+# a slow-client sponge for git-http-backend
+# TODO: support per-respository http.maxRequestBuffer somehow...
+our $MAX_REQUEST_BUFFER = $ENV{GIT_HTTP_MAX_REQUEST_BUFFER} ||
+			(10 * 1024 * 1024);
+
 my $null_io = IO::File->new('/dev/null', '<');
 my $http_date;
 my $prev = 0;
@@ -232,6 +238,10 @@ sub input_prepare {
 	my $input = $null_io;
 	my $len = $env->{CONTENT_LENGTH};
 	if ($len) {
+		if ($len > $MAX_REQUEST_BUFFER) {
+			quit($self, 413);
+			return;
+		}
 		$input = IO::File->new_tmpfile;
 	} elsif (env_chunked($env)) {
 		$len = CHUNK_START;
@@ -306,6 +316,9 @@ sub event_read_input_chunked { # unlikely...
 		if ($len == CHUNK_START) {
 			if ($$rbuf =~ s/\A([a-f0-9]+).*?\r\n//i) {
 				$len = hex $1;
+				if (($len + -s $input) > $MAX_REQUEST_BUFFER) {
+					return quit($self, 413);
+				}
 			} elsif (length($$rbuf) > CHUNK_MAX_HDR) {
 				return quit($self, 400);
 			}
diff --git a/t/httpd-corner.t b/t/httpd-corner.t
index 8670846..59f37aa 100644
--- a/t/httpd-corner.t
+++ b/t/httpd-corner.t
@@ -97,6 +97,27 @@ my $spawn_httpd = sub {
 	like($head, qr/\b400\b/, 'got 400 response');
 }
 
+{
+	my $conn = conn_for($sock, 'excessive body Content-Length');
+	$SIG{PIPE} = 'IGNORE';
+	my $n = (10 * 1024 * 1024) + 1;
+	$conn->write("PUT /sha1 HTTP/1.0\r\nContent-Length: $n\r\n\r\n");
+	ok($conn->read(my $buf, 8192), 'read response');
+	my ($head, $body) = split(/\r\n\r\n/, $buf);
+	like($head, qr/\b413\b/, 'got 413 response');
+}
+
+{
+	my $conn = conn_for($sock, 'excessive body chunked');
+	$SIG{PIPE} = 'IGNORE';
+	my $n = (10 * 1024 * 1024) + 1;
+	$conn->write("PUT /sha1 HTTP/1.1\r\nTransfer-Encoding: chunked\r\n");
+	$conn->write("\r\n".sprintf("%x\r\n", $n));
+	ok($conn->read(my $buf, 8192), 'read response');
+	my ($head, $body) = split(/\r\n\r\n/, $buf);
+	like($head, qr/\b413\b/, 'got 413 response');
+}
+
 # Unix domain sockets
 {
 	my $u = IO::Socket::UNIX->new(Type => SOCK_STREAM, Peer => $upath);
-- 
EW