guzzlehttp/psr7's fix for CVE-2022-24775 broke TableRestProxy::batchAsync

spaze commented 2 years ago

Which service(blob, file, queue, table) does this issue concern?

Table

Which version of the SDK was used?

1.1.5

What's the PHP/OS version?

PHP 8+/Ubuntu

What problem was encountered?

After upgrading guzzlehttp/psr7 to 2.1.1+, batch requests fail

Steps to reproduce the issue?

Update guzzlehttp/psr7 to 2.1.1+, I went to 2.2.1 (latest)
Send some batch requests

InvalidArgumentException is thrown with

"multipart/mixed; 
boundary="batch_56a456ec-a7c9-4faa-8101-35a8f58c3f62"" is not valid header value

This is because guzzlehttp/psr7 has fixed a security vulnerability (CVE-2022-24775) and the fix broke MimeReaderWriter::encodeMimeMultipart():

https://github.com/Azure/azure-storage-php/blob/0539ffb080779b29bc08c23caf24a19b77ad5e94/azure-storage-table/src/Table/Internal/MimeReaderWriter.php#L76

encodeMimeMultipart() is used in
\MicrosoftAzure\Storage\Table\TableRestProxy::createBatchRequestBody which in turn is used in
\MicrosoftAzure\Storage\Table\TableRestProxy::batchAsync.

This is the guzzlehttp/psr7 fix: https://github.com/guzzle/psr7/pull/485 (relevant lines) it has disallowed new lines in header values. Please note the regex was updated in https://github.com/guzzle/psr7/pull/492 but that wasn't relevant to the reported issue.

Have you found a mitigation/solution?

Yes #328 but you know me already 😅

ScottHelme commented 2 years ago

@katmsft @XiaoningLiu this is a pretty big blocker, any chance it could be looked at?

spaze commented 2 years ago

If anyone wants/needs to update their guzzlehttp/psr7 to fix the reported vulnerability, here's how you can do it immediately without waiting for a new Azure SDK release (which experience from previous releases tells me will not happen any time soon)

Get the patch from the PR with

wget https://github.com/Azure/azure-storage-php/pull/328.diff

Add this to your composer.json:

    "extra": {
        "patches-file": "patches/composer.patches.json"
    },

Add the composer.patches.json file:

{
    "patches": {
        "microsoft/azure-storage-table": {
            "No EOLs in Content-Type headers": "patches/azure-328-no-eol-in-headers.diff"
        }
    }
}

And finally, install and use cweagans/composer-patches composer plugin to patch the file locally. Run composer update microsoft/azure-storage-table after installing the plugin.

Once, and if, the maintainers will release the new version, you can simply remove the plugin and the composer.patches.json file (and PATCHES.txt from vendor/microsoft/azure-storage-table dir).

Azure / azure-storage-php