-
Notifications
You must be signed in to change notification settings - Fork 1
π‘οΈ Sentinel: [HIGH] Fix DoS vulnerability in request sanitization #6300
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -493,6 +493,16 @@ | |
| // For inference requests, we'll validate in the handler | ||
| // This middleware focuses on general request sanitization | ||
|
|
||
| // π‘οΈ Sentinel: Reject unbounded chunked payloads to prevent DoS | ||
| if !request.headers().contains_key("content-length") | ||
| && let Some(te) = request.headers().get("transfer-encoding") | ||
|
Check warning on line 498 in crates/bitnet-server/src/security.rs
|
||
| && let Ok(te_str) = te.to_str() | ||
|
Check warning on line 499 in crates/bitnet-server/src/security.rs
|
||
| && te_str.to_lowercase().contains("chunked") | ||
|
Check warning on line 500 in crates/bitnet-server/src/security.rs
|
||
| { | ||
| warn!("Rejected chunked request without content-length"); | ||
|
Check notice on line 502 in crates/bitnet-server/src/security.rs
|
||
| return Err(StatusCode::LENGTH_REQUIRED); | ||
|
Check notice on line 503 in crates/bitnet-server/src/security.rs
|
||
| } | ||
|
Comment on lines
+497
to
+504
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Requiring a Additionally, allowing chunked requests only when Recommended Approaches:
if let Some(te) = request.headers().get("transfer-encoding")
&& let Ok(te_str) = te.to_str()
&& te_str.to_lowercase().contains("chunked")
{
warn!("Rejected chunked request to prevent unbounded payload DoS");
return Err(StatusCode::BAD_REQUEST);
} |
||
|
|
||
| // Check request size | ||
| if let Some(content_length) = request.headers().get("content-length") | ||
| && let Ok(length_str) = content_length.to_str() | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to the HTTP/1.1 specification (RFC 9112, Section 6.2), a sender must not send a
Content-Lengthheader in any message that contains aTransfer-Encodingheader.By rejecting chunked requests that lack a
Content-Lengthheader, this middleware will reject all standard-compliant chunked requests, effectively breaking chunked transfer encoding support entirely.If the goal is to prevent unbounded payloads:
Content-Lengthheader.tower_http::limit::RequestBodyLimitLayeror Axum'sDefaultBodyLimit), rather than relying on headers which can be omitted or spoofed.If you wish to reject all chunked requests to prevent DoS, you should remove the
content-lengthcheck.