-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added a UriCompliance.Violation.USER_INFO
to deprecate user info in HttpURI
#12012
Added a UriCompliance.Violation.USER_INFO
to deprecate user info in HttpURI
#12012
Conversation
As per [RFC9110](https://datatracker.ietf.org/doc/html/rfc9110#name-deprecation-of-userinfo-in-) user info is deprecated in server implementations. The new violation for USER_DATA is included by default in 12.0.x, but will be removed in 12.1.x
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The RequestTest could use a minor improvement.
Arguments.of(UriCompliance.DEFAULT, "https://local/", 200, "local"), | ||
Arguments.of(UriCompliance.DEFAULT, "https://other/", 400, "Authority!=Host"), | ||
Arguments.of(UriCompliance.DEFAULT, "https://user@local/", 400, "Deprecated User Info"), | ||
Arguments.of(UriCompliance.LEGACY, "https://user@local/", 200, "local"), | ||
Arguments.of(UriCompliance.DEFAULT, "/%2F/", 400, "Ambiguous URI path separator"), | ||
Arguments.of(UriCompliance.UNSAFE, "/%2F/", 200, "local") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we split the good and bad tests apart.
Also, can we use a hostname in the URI that is different than the one used in the Host: local
header to make sure understand which host it is using?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we split the good and bad tests apart.
I did that, but it only saves a couple of lines and requires 40 lines to be duplicated, so a net loss. It also makes it hard to see the difference between the 200 and 400 tests, which is good to see exactly what we are testing. So I prefer it as a single test.
Also, can we use a hostname in the URI that is different than the one used in the
Host: local
header to make sure understand which host it is using?
I added a bunch more tests, including ones that allow HttpCompliance with different authorities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Will be good to have it bake for a while too.
This change causes unencoded [ and ] to be rejected too (400 Illegal Path Character). Not sure if that is intended? |
@d2a-pnagel what does the raw (on the network) HTTP request look like that triggers this issue for you? |
Not sure about "on the network", but this is output from curl. Is that sufficient? Jetty 12.0.11 returns a 404 Not Found for the same request.
|
Yes, that is sufficient. The Those two characters are reserved for IPv6 or IPvLiteral authority sections on the URI. The change from parsing the whole URI to just parsing the pathQuery is tripping up the gen-delims vs sub-delims nuance of the path parsing. I'll open a new Issue about this. |
Opened Issue #12259 |
Is there a PR for Jetty 11? |
Will this be backported to jetty 9.4.x? |
This will not be backported to an End of Community Support version of Jetty.
As stated in CVE-2024-6763, the use of Jetty server, or Jetty client, does not make you vulnerable to that CVE. The code for HttpURI is also quite different in those older, no longer supported, versions of Jetty. |
For 9.x and 10.x.
Does it means "as it is different, it is not concerned by that issue" ? or more "it is different so not so easy to backport" ? I maybe missed the information in provided links but I understand that 9.x and 10.x still get security fix, right ? |
The change you see here is to flag the userInfo portion of the URI/URL as deprecated. Jetty 12 is RFC9110 and that has language around userInfo being an error / security issue. Nothing in Jetty Server or Jetty Client (all versions of Jetty) uses or reads from the userInfo portion of the URI/URL. This is the reason there is no change for Jetty 11/10/9/8/7. The details of the CVE point out the difference in parsing between RFC3986 (which all protocols use) and WhatWG Living URL document (that only Browsers use). That's where the flaw exists, that flaw cannot be addressed by Jetty. The IETF and WhatWG need to get together and come up with a singular URI/URL spec to address this issue. If you start to look around, you'll see that there are some projects that provide separate parsers for RFC3986 and WhatWG. Example (from spring-framework)
Since Jetty operates within the HTTP protocols, we are RFC based. |
@joakime sorry if I missed something. But reading your comment, I understand that jetty-http 9 is not affected by : CVE-2024-6763 ? If that's true, does it means there is an error in : Affected versions |
@sbernard31 the point of the CVE is to point out the issue between HttpURI and WhatWG. The patch you are seeing here is to address another, slightly related, point with the userInfo portion with RFC9110. The CVE points out that there is still issue in parsing differences between HttpURI and WhatWG, even with this patch. In fact, yes, I think the Affected versions is wrong, but in a different way, it should be open ended. So the solution here, for Jetty 12, using a convenient RFC9110 rule, is to just deprecate the userInfo portion, and declare its existence a violation of the UriCompliance. Jetty 9 doesn't even have a UriCompliance, nor is it RFC9110. This PR in Jetty 9 makes no sense. Like the CVE points out, if you are using the HttpURI directly in your webapp, and are using it in a proxy scenario which is used by Chrome, then stop using Jetty's HttpURI, and any other RFC3986 parser, and find a WhatWG parser instead. |
@joakime thx a lot for taking time to clarify that. I think I understand the issue a bit more now. Let me explain how I fall on this PR :
I think lot of people will face more or less same kind of issue and will follow the path above ☝️ and I'm not sure it's a good thing, because this will lead to alarm many people which are probably not really concerned. (because they are just using jetty-server or client and not HttpUri directly) You also explain there is not so much reason to consider jetty You explain that for jetty 12 , you just "deprecate the userInfo portion, and declare its existence a violation of the UriCompliance". Should it be a better solution to deliver a version for jetty 9.x / 10.x :
I know that some could argue that "this will hide the issue because maybe some dev doesn't look at deprecated code" but maybe in this case as "this is a LOW severity" and "probably most user are using jetty-server or jetty-client directly", this could be OK and so will lead to less noises for most users ? |
@sbernard31 just a reminder, Jetty 9/10/11 all go full EOL on January 1, 2025. (no more updates) |
Thx bad new for us. 😬 |
@joakime I understand as Jetty 9/10//11 will not be maintained anymore in few days. My comment above is maybe not so relevant. But today, I discover VEX (Vulnerability eXploitability Exchange) and I think this could have solve the issue I raised above. If I understand correctly you could have created a VEX saying that jetty-server / jetty-client is not concerned directly by CVE-2024-6763. I just share this just in case this could interest you if same kind of situation happens in the future. If you also ask yourself about consequences of bad declaration of direct dependencies, see : aquasecurity/trivy#7784 (Now, I stop flooding this PR with a bit out of topic comment 😬) |
At present, the latest version of Geoserver still relies on jetty9.4.56-v20240826. Will this vulnerability affect its service itself? |
@sbernard31 @fdj0926 Not that Jetty 9/10/11 are going end-of-life for opensource support, not end-of-life for all support. So depending on commercial support contracts, there may be some maintenance on these branches of Jetty, it is just that we do not guarantee to do so. As we currently do have commercial clients on all those release, it is likely that there will be releases for some time. But the timing and nature of those fixes will be entirely dictated by the commercial needs of those clients. @sbernard31 Thanks for pointing out VEX. We will have a look. However, I'm not sure it will have the fidelity to say "this artifact is vulnerable if you consume it as a library, but not vulnerable if consumed as part of some other artifact"... but maybe?? we will look. @fdj0926 If you just use the server parts of jetty and don't consume the HttpURI class as a library, then you are not vulnerable to this CVE |
As per RFC9110 user info is deprecated in server implementations. The new violation for USER_DATA is included by default in 12.0.x, but will be removed in 12.1.x
Addresses CVE-2024-6763