search

OxalisCommunity / oxalis

Oxalis - PEPPOL Access Point open source implementation - Core component
Other
121 stars 90 forks source link

AS2 inbound handler: Invalid characters (CR/LF) in header Content-Type #576

Closed javierestevez closed 1 year ago

javierestevez commented 2 years ago

Affects: at least 5.0.8 and 4.1.2 versions of Oxalis.

Hello,

I have encountered an issue with the Oxalis AS2 inbound handler running inside a Spring application. When sending the MDN back to the AP caller, one of the HTTP headers contains a carriage return and a line feed which Spring Security complains about and results in a 500 error:

java.lang.IllegalArgumentException: Invalid characters (CR/LF) in header Content-Type
    at org.springframework.util.Assert.isTrue(Assert.java:139)
    at org.springframework.security.web.firewall.FirewalledResponse.validateCrlf(FirewalledResponse.java:76)
    at org.springframework.security.web.firewall.FirewalledResponse.setHeader(FirewalledResponse.java:53)
    at javax.servlet.http.HttpServletResponseWrapper.setHeader(HttpServletResponseWrapper.java:168)
    at network.oxalis.as2.inbound.As2Servlet.writeMdn(As2Servlet.java:202)

This feature of Spring Security was added presumably after this issue to avoid HTTP response splitting attacks.

In Oxalis, the MdnBuilder uses javax.mail.internet.MimeMultipart class to build the MDN. The response headers are then copied from the MimeMessage headers inside As2Servlet#writeMdn, resulting in the following HTTP header sent back in the response (note the new line before boundary):

Content-Type: multipart/report; Report-Type=disposition-notification; 
    boundary="----=_Part_3_629902586.1647330658399"

The new line comes from javax.mail.internet.ParameterList#toString method.

Is it possible to sanitize the MimeMessage headers before adding them to the HTTP response?

aaron-kumar commented 2 years ago

Why you received message using AS2 protocol? Who is sending using AS2 protocol? Did you registered your receivers with AS2 transport protocol in SMP? If so, please register your receiver with Mandatory AS4 protocol. When you will register your receiver with Mandatory AS4 protocol, you will never receive message on AS2 and hence no such problem.

Note: In Oxalis, we are planning to deprecate AS2 protocol since it is Optional protocol in Peppol and AS4 is the Only one mandatory protocol. So we are going to maintain AS4 only.

aaron-kumar commented 1 year ago

Closing this issue since as per OpenPeppol, AS2 is Optional protocol starting 2020-02-01 and AS2 protocol will be removed soon. We in Oxalis community also starting process to deprecate and removing AS2 protocol support completely from Oxalis.