Added verification of X-HTTP-Method-Override before use

revel / revel

A high productivity, full-stack web framework for the Go language.

http://revel.github.io

MIT License

13.12k stars 1.39k forks source link

Added verification of X-HTTP-Method-Override before use #1556

Open KilledKenny opened 2 years ago

KilledKenny commented 2 years ago

Verify that the method in X-HTTP-Method-Override is a valid method before use using it. Validation is performed using the same logic as net/http dose. This prevents a routing confusion vulnerability that allowed an attacker to control the entire internal revel routing path (used to find a controller) via the override header. This issue can be problematic in instances where authentication is based on the path for example in a revel.Filter or if the revel app is behind a reverse proxy.

KilledKenny commented 2 years ago

this fix is almost identical to #1555. The functional difference is that my fix ignores the header when its invalid while movitz-s fix will return nil if the header is invalid.

notzippy commented 2 years ago

This looks good to me - @brendensoares thoughts?

brendensoares commented 2 years ago

I appreciate the unit tests you included, but could you also provide steps to reproduce the vulnerability so we can verify this correctly addresses it?

Thank you for contributing to Revel and OSS!

brendensoares commented 2 years ago

Added new code review comments.

Also, I got your proof of concept code to test for this vulnerability in gitter. Thank you.