Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Denial of Service in newRequest #159

Closed
y0d3n opened this issue Apr 18, 2024 · 10 comments · Fixed by #162
Closed

Denial of Service in newRequest #159

y0d3n opened this issue Apr 18, 2024 · 10 comments · Fixed by #162

Comments

@y0d3n
Copy link

y0d3n commented Apr 18, 2024
edited
Loading

Hi, Denial of Service vulnerability discovered.

PoC

Source

import { serve } from '@hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/*', (c) => {
    return c.text("hello")
})

serve(app, (info) => {
    console.log(`Listening on http://localhost:${info.port}`) // Listening on http://localhost:3000
})

Request

curl localhost:3000/ -H "Host: "

As a result, the application stops.

Exception has occurred: TypeError: Invalid URL

In this case, the argument passed to new URL will be http:/// .

node-server/src/request.ts

Lines 117 to 126 in c22f750

req[urlKey] = new URL(
`${
incoming instanceof Http2ServerRequest ||
(incoming.socket && (incoming.socket as TLSSocket).encrypted)
? 'https'
: 'http'
}://${incoming instanceof Http2ServerRequest ? incoming.authority : incoming.headers.host}${
incoming.url
}`
).href

Suggested fix

It is recommended to validate the Host header.

In addition, it is possible to manipulate the c.req.path by including / in the Host header.
This has not so far led to any direct damage, but it could be used for WAF bypassing, etc., so it is recommended to add this to the validation process.

Source

import { serve } from '@hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/*', (c) => {
    return c.json({
        c_env_incoming_url: c.env.incoming.url,
        c_req_url: c.req.url,
        c_req_path: c.req.path,
    })
})

serve(app, (info) => {
    console.log(`Listening on http://localhost:${info.port}`) // Listening on http://localhost:3000
})

Request

curl localhost:3000/aaa -H "Host: example.com/bbb?"

Response

{
	"c_env_incoming_url":"/aaa",
	"c_req_url":"http://example.com/bbb?/aaa",
	"c_req_path":"/bbb"
}
@yusukebe
Copy link
Member

Hi @Yovach

Thank you for raising the issue.

@usualoma Can you take a look at this?

@usualoma
Copy link
Member

Hi @y0d3n

Thanks for the report!
You're right about "Host: example.com/bbb?" too, I think it should be an error.
We will start to fix it immediately.

@usualoma
Copy link
Member

#160 will also need to be considered together.

@usualoma usualoma mentioned this issue Apr 19, 2024
Merged
@usualoma
Copy link
Member

I've created #162

#162 would be able to be released immediately in a patch version, as it only suppresses the abnormal termination and does not change the behaviour.

#160 and #161 may have edge cases affected by the change, so it would be better to calm down and fix them in the next minor version.

@usualoma
Copy link
Member

At the moment, I would like to finalise the following changes.

main...usualoma:node-server:fix-invalid-incoming-request

@y0d3n
Copy link
Author

y0d3n commented Apr 19, 2024

Thanks for the quick fix.
Can I request CVE number for DoS? (Or after the related issue has been resolved?)

@usualoma
Copy link
Member

And created #163

@y0d3n Thank you for offering. I appreciate it.

Can I request CVE number for DoS? (Or after the related issue has been resolved?)

It would be good to release a more secure version with #163 first and then promote the update to users.

@yusukebe What do you think?

@yusukebe
Copy link
Member

Hi @y0d3n

I'm creating the report to request the CVE number for this issue.

@yusukebe
Copy link
Member

I've published the report and requested the CVE number:

GHSA-hgxw-5xg3-69jx

nicolewhite pushed a commit to autoblocksai/cli that referenced this issue Apr 19, 2024
@renovate
Update dependency @hono/node-server to v1.10.1 [SECURITY] (#42)
aaa420f 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [@hono/node-server](https://togithub.com/honojs/node-server) |
[`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@hono%2fnode-server/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@hono%2fnode-server/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@hono%2fnode-server/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@hono%2fnode-server/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@hono%2fnode-server/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-32652](https://togithub.com/honojs/node-server/security/advisories/GHSA-hgxw-5xg3-69jx)

### Impact

The application hangs when receiving a Host header with a value that
`@hono/node-server` can't handle well. Invalid values are those that
cannot be parsed by the `URL` as a hostname such as an empty string,
slashes `/`, and other strings.

For example, if you have a simple application:

```ts
import { serve } from '@​hono/node-server'
import { Hono } from 'hono'

const app = new Hono()

app.get('/', (c) => c.text('Hello'))

serve(app)
```

Sending a request with a Host header with an empty value to it:

```
curl localhost:3000/ -H "Host: "
```

The results:

```
node:internal/url:775
    this.#updateContext(bindingUrl.parse(input, base));
                                   ^

TypeError: Invalid URL
    at new URL (node:internal/url:775:36)
    at newRequest (/Users/yusuke/work/h/159/node_modules/@​hono/node-server/dist/index.js:137:17)
    at Server.<anonymous> (/Users/yusuke/work/h/159/node_modules/@&#8203;hono/node-server/dist/index.js:399:17)
    at Server.emit (node:events:514:28)
    at Server.emit (node:domain:488:12)
    at parserOnIncoming (node:_http_server:1143:12)
    at HTTPParser.parserOnHeadersComplete (node:_http_common:119:17) {
  code: 'ERR_INVALID_URL',
  input: 'http:///'
}
```

### Patches

The version `1.10.1` includes the fix for this issue. But, you should
use `1.11.0`, which has other fixes related to this issue.
[honojs/node-server#160
[honojs/node-server#161

### Workarounds

Nothing. Upgrade your `@hono/node-server`.

### References


[honojs/node-server#159

---

### Release Notes

<details>
<summary>honojs/node-server (@&#8203;hono/node-server)</summary>

###
[`v1.10.1`](https://togithub.com/honojs/node-server/releases/tag/v1.10.1)

[Compare
Source](https://togithub.com/honojs/node-server/compare/v1.10.0...v1.10.1)

#### What's Changed

- fix: catch ERR_INVALID_URL error in listener by
[@&#8203;usualoma](https://togithub.com/usualoma) in
[honojs/node-server#162

**Full Changelog**:
honojs/node-server@v1.10.0...v1.10.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/Chicago,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/autoblocksai/cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zMDEuNCIsInVwZGF0ZWRJblZlciI6IjM3LjMwMS40IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@y0d3n
Copy link
Author

y0d3n commented Apr 20, 2024

Oh! I am very happy😆
Thank you very much!

@hanspagel hanspagel mentioned this issue Apr 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: catch ERR_INVALID_URL error in listener usualoma/node-server
3 participants
@yusukebe @usualoma @y0d3n