Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix potential ReDOS-Attack-Vector in Headerparser #72

Merged
merged 2 commits into from
Dec 9, 2021

Conversation

Uzlopak
Copy link
Contributor

@Uzlopak Uzlopak commented Dec 6, 2021

tl;dr;
An attacker could send a payload with large headers, which contain no colon, repeatedly, resulting in a REDoS-Attack.

The Regex for handling headerpairs is prone to catastrophic backtracking.

This is even more critical, as busboys default limit for multipart headers is 80kby and that if a header is not valid, the counter for headers is not increasing. Meaning, that the attacker could send a big payload of multipart formdata, were each multipart contains 80kby of invalid headerdata resulting in a DoS-Attack.

To avoid this, we just check if the line contains a colon and if so ensure that it is not at the first position. If not we exit early. If not we can savely use the Regex for the header as before.

Checklist

@Uzlopak
Copy link
Contributor Author

Uzlopak commented Dec 6, 2021

benchmarks before:

npm run benchmark-fastify -- -p low

> [email protected] benchmark-fastify /home/aras/Workspace/fastify/busboy/benchmarks
> node busboy/executioner.js -c 1 "-p" "low"

Mean time for fastify-busboy is 285299.9631169119 nanoseconds
all done

benchmarks after:

npm run benchmark-fastify -- -p low

> [email protected] benchmark-fastify /home/aras/Workspace/fastify/busboy/benchmarks
> node busboy/executioner.js -c 1 "-p" "low"

Mean time for fastify-busboy is 284407.45698760776 nanoseconds
all done

no performance degredation.

posColon === -1 ||
posColon === 0
) {
return
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we throw an error instead? is this even valid payload?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Current behavior is skipping the header, if it is invalid. I would not want to change that, as I am not sure what side effects this could have. Maybe there is some reason that we just ignore it.

Or somebody is using for years busboy in his legacy product with a self written client. Then he wants to update his product to make it more resilient and then we throw errors resulting in a bigger man power investment as now the program breaks for something which was always handled gracefully. This could result in keeping the old busboy in the product with the argument, that the security fix is not worth the time to bugfix the legacy product.

Copy link
Member

@kibertoad kibertoad Dec 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be helpful to at least log an error then. silent ignoring may be confusing and hard to debug

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have no logging functionality in busboy :/
Also before there was no logging of the invalid header.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should add some. not in this pr, though

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for the mercy :)

@Uzlopak Uzlopak changed the title improve resilience of headerparser Fix potential ReDOS-Attack-Vector in Headerparser Dec 6, 2021
@Uzlopak
Copy link
Contributor Author

Uzlopak commented Dec 9, 2021

@kibertoad
Anything I a can do?

@kibertoad
Copy link
Member

@Uzlopak I think this ties in to having strict mode discussed in another PR. If we go in that direction, enabling strict mode should probably emit an error in this case as well.

@Uzlopak
Copy link
Contributor Author

Uzlopak commented Dec 9, 2021

I can understand that, but I would actually recommend to merge this anyway as this fixes a potential security issue and does not modify in any way the original busboy behaviour. We can still throw/emit an Error when we decide to implement a strict Mode.

@Uzlopak Uzlopak merged commit 7c19c1d into fastify:master Dec 9, 2021
@Uzlopak Uzlopak deleted the improve-headerparser branch December 11, 2021 10:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants