[backport]: fix: patch http-proxy to prevent request smuggling in rewrites (#65) (#67)

* fix: patch http-proxy to prevent request smuggling in rewrites (#65)

* namespace temp files (#50)

* fix: patch http-proxy to prevent request smuggling in rewrites

* ncc

(cherry picked from commit e9a0b6dd0a27d07c0526b1d8d1b71c13ad4951dd)

* block hop-by-hop TE rewrite smuggling bypass (#70)

* block hop-by-hop TE rewrite smuggling bypass

* more hardening

* chore: minimize lockfile delta for http-proxy patch

Author: ztanner

package.json

@@ -338,6 +338,7 @@
       "webpack-sources@3.2.3": "patches/webpack-sources@3.2.3.patch",
       "stacktrace-parser@0.1.10": "patches/stacktrace-parser@0.1.10.patch",
       "@types/node@20.17.6": "patches/@types__node@20.17.6.patch",
+      "http-proxy@1.18.1": "patches/http-proxy@1.18.1.patch",
       "taskr@1.1.0": "patches/taskr@1.1.0.patch"
     }
   }

packages/next/src/compiled/http-proxy/index.js

@@ -0,0 +1,90 @@
+diff --git a/lib/http-proxy/common.js b/lib/http-proxy/common.js
+index 6513e81d80d5250ea249ea833f819ece67897c7e..09143dd1fe4e67885f40ea916a6ea1ef3e3afa19 100644
+--- a/lib/http-proxy/common.js
++++ b/lib/http-proxy/common.js
+@@ -1,9 +1,9 @@
+ var common   = exports,
+     url      = require('url'),
+-    extend   = require('util')._extend,
+     required = require('requires-port');
+ 
+ var upgradeHeader = /(^|,)\s*upgrade\s*($|,)/i,
++    hopByHopTransferEncodingHeader = /(^|,)\s*transfer-encoding\s*($|,)/i,
+     isSSL = /^https|wss/;
+ 
+ /**
+@@ -40,10 +40,10 @@ common.setupOutgoing = function(outgoing, options, req, forward) {
+   );
+ 
+   outgoing.method = options.method || req.method;
+-  outgoing.headers = extend({}, req.headers);
++  outgoing.headers = Object.assign({}, req.headers);
+ 
+   if (options.headers){
+-    extend(outgoing.headers, options.headers);
++    Object.assign(outgoing.headers, options.headers);
+   }
+ 
+   if (options.auth) {
+@@ -61,13 +61,22 @@ common.setupOutgoing = function(outgoing, options, req, forward) {
+ 
+   outgoing.agent = options.agent || false;
+   outgoing.localAddress = options.localAddress;
++  outgoing.headers = outgoing.headers || {};
++  var hasTransferEncodingHeader = Object.keys(outgoing.headers).some(function (header) {
++    return header.toLowerCase() === 'transfer-encoding'
++      && typeof outgoing.headers[header] !== 'undefined';
++  });
++
++  if (hasTransferEncodingHeader
++      || (typeof outgoing.headers.connection === 'string'
++          && hopByHopTransferEncodingHeader.test(outgoing.headers.connection))
++     ) { outgoing.headers.connection = 'close'; }
+ 
+   //
+   // Remark: If we are false and not upgrading, set the connection: close. This is the right thing to do
+   // as node core doesn't handle this COMPLETELY properly yet.
+   //
+   if (!outgoing.agent) {
+-    outgoing.headers = outgoing.headers || {};
+     if (typeof outgoing.headers.connection !== 'string'
+         || !upgradeHeader.test(outgoing.headers.connection)
+        ) { outgoing.headers.connection = 'close'; }
+diff --git a/lib/http-proxy/index.js b/lib/http-proxy/index.js
+index 977a4b3622b9eaac27689f06347ea4c5173a96cd..88b2d0fcfa03c3aafa47c7e6d38e64412c45a7cc 100644
+--- a/lib/http-proxy/index.js
++++ b/lib/http-proxy/index.js
+@@ -1,5 +1,4 @@
+ var httpProxy = module.exports,
+-    extend    = require('util')._extend,
+     parse_url = require('url').parse,
+     EE3       = require('eventemitter3'),
+     http      = require('http'),
+@@ -47,9 +46,9 @@ function createRightProxy(type) {
+         args[cntr] !== res
+       ) {
+         //Copy global options
+-        requestOptions = extend({}, options);
++        requestOptions = Object.assign({}, options);
+         //Overwrite with request options
+-        extend(requestOptions, args[cntr]);
++        Object.assign(requestOptions, args[cntr]);
+ 
+         cntr--;
+       }
+diff --git a/lib/http-proxy/passes/web-incoming.js b/lib/http-proxy/passes/web-incoming.js
+index 7ae735514190eea569c605fff7d27c045fe8d601..c7c25e7228b21c76b3c7115af82ddcbf13a8e3ec 100644
+--- a/lib/http-proxy/passes/web-incoming.js
++++ b/lib/http-proxy/passes/web-incoming.js
+@@ -33,9 +33,9 @@ module.exports = {
+ 
+   deleteLength: function deleteLength(req, res, options) {
+     if((req.method === 'DELETE' || req.method === 'OPTIONS')
+-       && !req.headers['content-length']) {
++       && typeof req.headers['content-length'] === 'undefined'
++       && typeof req.headers['transfer-encoding'] === 'undefined') {
+       req.headers['content-length'] = '0';
+-      delete req.headers['transfer-encoding'];
+     }
+   },
+ 

patches/http-proxy@1.18.1.patch

@@ -0,0 +1,13 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+  async rewrites() {
+    return [
+      {
+        source: '/rewrites/:path*',
+        destination: `http://127.0.0.1:${process.env.TEST_INTERMEDIARY_PORT}/rewrites/:path*`,
+      },
+    ]
+  },
+}
+
+module.exports = nextConfig

pnpm-lock.yaml

@@ -0,0 +1,3 @@
+export default function Page() {
+  return <p>hello world</p>
+}

test/e2e/rewrite-request-smuggling/next.config.js

@@ -0,0 +1,234 @@
+import net from 'net'
+import http from 'http'
+import { createNext, NextInstance } from 'e2e-utils'
+import { findPort, retry } from 'next-test-utils'
+
+describe('rewrite-request-smuggling', () => {
+  if ((global as any).isNextDeploy) {
+    it('should skip deploy', () => {})
+    return
+  }
+
+  let backend: http.Server
+  let backendPort: number
+  let intermediary: http.Server
+  let intermediaryPort: number
+  let next: NextInstance
+  const backendRequests: string[] = []
+
+  async function sendSmugglingPayload({
+    nextPort,
+    connectionHeader,
+    method = 'DELETE',
+    rewritePath = '/rewrites/poc',
+  }: {
+    nextPort: number
+    connectionHeader: string
+    method?: 'DELETE' | 'OPTIONS'
+    rewritePath?: string
+  }) {
+    const smuggledRequest = Buffer.from(
+      `GET /secret HTTP/1.1\r\nHost: 127.0.0.1:${nextPort}\r\n\r\n`,
+      'latin1'
+    )
+    const chunkSize = Buffer.from(
+      `${smuggledRequest.length.toString(16).toUpperCase()}\r\n`,
+      'latin1'
+    )
+
+    const payload = Buffer.concat([
+      Buffer.from(
+        `${method} ${rewritePath} HTTP/1.1\r\nHost: 127.0.0.1:${nextPort}\r\nTransfer-Encoding: chunked\r\nConnection: ${connectionHeader}\r\n\r\n`,
+        'latin1'
+      ),
+      chunkSize,
+      smuggledRequest,
+      Buffer.from('\r\n0\r\n\r\n', 'latin1'),
+    ])
+
+    await new Promise<void>((resolve, reject) => {
+      const socket = net.createConnection({
+        host: '127.0.0.1',
+        port: nextPort,
+      })
+
+      socket.once('connect', () => {
+        socket.write(payload)
+      })
+      socket.once('error', reject)
+      socket.setTimeout(1000, () => socket.destroy())
+      socket.once('close', () => resolve())
+    })
+  }
+
+  beforeAll(async () => {
+    backendPort = await findPort()
+    intermediaryPort = await findPort()
+
+    backend = http.createServer((req, res) => {
+      backendRequests.push(`${req.method} ${req.url}`)
+
+      if (req.url?.startsWith('/rewrites/')) {
+        res.statusCode = 200
+        res.end('rewrite-ok')
+        return
+      }
+
+      if (req.url === '/secret') {
+        res.statusCode = 200
+        res.end('secret')
+        return
+      }
+
+      res.statusCode = 404
+      res.end('not-found')
+    })
+
+    intermediary = http.createServer((req, res) => {
+      const connectionHeader = Array.isArray(req.headers['connection'])
+        ? req.headers['connection'].join(',')
+        : req.headers['connection'] || ''
+      const hopByHopHeaders = connectionHeader
+        .split(',')
+        .map((h) => h.trim().toLowerCase())
+        .filter(Boolean)
+      const stripTransferEncodingUnconditionally =
+        req.url?.startsWith('/rewrites/non-rfc-strip') || false
+
+      const forwardHeaders: Record<string, string | string[]> = {}
+      for (const [key, value] of Object.entries(req.headers)) {
+        if (key === 'connection') continue
+        if (stripTransferEncodingUnconditionally && key === 'transfer-encoding')
+          continue
+        if (hopByHopHeaders.includes(key)) continue
+        if (value !== undefined) {
+          forwardHeaders[key] = value
+        }
+      }
+      forwardHeaders.connection = stripTransferEncodingUnconditionally
+        ? connectionHeader.toLowerCase().includes('close')
+          ? 'close'
+          : 'keep-alive'
+        : 'keep-alive'
+
+      const proxyReq = http.request(
+        {
+          hostname: '127.0.0.1',
+          port: backendPort,
+          method: req.method,
+          path: req.url,
+          headers: forwardHeaders,
+        },
+        (proxyRes) => {
+          res.writeHead(proxyRes.statusCode || 500, proxyRes.headers)
+          proxyRes.pipe(res)
+        }
+      )
+
+      proxyReq.on('error', () => {
+        res.statusCode = 502
+        res.end('Bad Gateway')
+      })
+
+      req.pipe(proxyReq)
+    })
+
+    await new Promise<void>((resolve, reject) => {
+      backend.listen(backendPort, '127.0.0.1', resolve)
+      backend.once('error', reject)
+    })
+
+    await new Promise<void>((resolve, reject) => {
+      intermediary.listen(intermediaryPort, '127.0.0.1', resolve)
+      intermediary.once('error', reject)
+    })
+
+    next = await createNext({
+      files: __dirname,
+      env: {
+        TEST_INTERMEDIARY_PORT: String(intermediaryPort),
+      },
+    })
+  })
+
+  afterAll(async () => {
+    await next?.destroy()
+    await new Promise<void>((resolve) => intermediary.close(() => resolve()))
+    await new Promise<void>((resolve) => backend.close(() => resolve()))
+  })
+
+  it('does not smuggle a second request when using keep-alive only', async () => {
+    backendRequests.length = 0
+
+    const nextPort = Number(new URL(next.url).port)
+    await sendSmugglingPayload({ nextPort, connectionHeader: 'keep-alive' })
+
+    await retry(async () => {
+      expect(backendRequests).toContain('DELETE /rewrites/poc')
+    })
+    expect(backendRequests).not.toContain('GET /secret')
+  })
+
+  it('does not smuggle a second request with keep-alive, upgrade', async () => {
+    backendRequests.length = 0
+
+    const nextPort = Number(new URL(next.url).port)
+    await sendSmugglingPayload({
+      nextPort,
+      connectionHeader: 'keep-alive, upgrade',
+    })
+
+    await retry(async () => {
+      expect(backendRequests).toContain('DELETE /rewrites/poc')
+    })
+    expect(backendRequests).not.toContain('GET /secret')
+  })
+
+  it('does not smuggle a second request with Transfer-Encoding, upgrade', async () => {
+    backendRequests.length = 0
+
+    const nextPort = Number(new URL(next.url).port)
+    await sendSmugglingPayload({
+      nextPort,
+      connectionHeader: 'Transfer-Encoding, upgrade',
+    })
+
+    await retry(async () => {
+      expect(backendRequests).toContain('DELETE /rewrites/poc')
+    })
+    expect(backendRequests).not.toContain('GET /secret')
+  })
+
+  it('does not smuggle a second request for OPTIONS with Transfer-Encoding, upgrade', async () => {
+    backendRequests.length = 0
+
+    const nextPort = Number(new URL(next.url).port)
+    await sendSmugglingPayload({
+      nextPort,
+      method: 'OPTIONS',
+      connectionHeader: 'Transfer-Encoding, upgrade',
+    })
+
+    await retry(async () => {
+      expect(backendRequests).toContain('OPTIONS /rewrites/poc')
+    })
+    expect(backendRequests).not.toContain('GET /secret')
+  })
+
+  it('does not smuggle a second request when an intermediary strips transfer-encoding unconditionally', async () => {
+    backendRequests.length = 0
+
+    const nextPort = Number(new URL(next.url).port)
+    await sendSmugglingPayload({
+      nextPort,
+      method: 'OPTIONS',
+      rewritePath: '/rewrites/non-rfc-strip',
+      connectionHeader: 'keep-alive, upgrade',
+    })
+
+    await retry(async () => {
+      expect(backendRequests).toContain('OPTIONS /rewrites/non-rfc-strip')
+    })
+    expect(backendRequests).not.toContain('GET /secret')
+  })
+})