search

rfc-st / humble

A humble, and 𝗳𝗮𝘀𝘁, security-oriented HTTP headers analyzer.
https://github.com/rfc-st/humble
MIT License
255 stars 18 forks source link

Trailer checking #17

Closed stanley101music closed 9 months ago

stanley101music commented 9 months ago

Describe the bug The checking for disallowed directives of Trailer is conflicting

To Reproduce Steps to reproduce the behavior:

  1. For example, a header like Trailer: Authorization
  2. The output will not contain the result where the Trailer is using Authorization which is a disallowed directive

Expected behavior Should have the result, Trailer (Disallowed Directives)

Additional context

if 'Trailer' in headers:
    trailer_h = headers['Trailer'].lower()
    if any(elem in trailer_h for elem in l_trailer):
        print_detail_r('[itrailer_h]', is_red=True)
        if not args.brief:
            matches_trailer = [x for x in l_trailer if x in trailer_h]
            print_detail_l("[itrailer_d_s]")
            print(', '.join(matches_trailer))
            print_detail("[itrailer_d_r]")
        i_cnt[0] += 1
l_trailer = ['Authorization', 'Cache-Control', 'Content-Encoding',
             'Content-Length', 'Content-Type', 'Content-Range', 'Host',
             'Max-Forwards', 'Set-Cookie', 'TE', 'Trailer',
             'Transfer-Encoding']

The any check goes through l_trailer which contains capital letters in every element while it uses .lower() to convert the actual value of Trailer. Therefore, the condition was never met.

rfc-st commented 9 months ago

Hi,

Good finding!. Fixed in https://github.com/rfc-st/humble/commit/7d4282c66262a4915b51a9e6f1f8592c76373746

Thanks.

Regards,