forked from aws/http-desync-guardian
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathacceptable.yaml
141 lines (132 loc) · 3.22 KB
/
acceptable.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
#
# It is OK to tolerate some deviations from RFC, as long as they
# do not bring risks of HTTP DeSync attacks.
# If Transfer-Encoding/Content-Length are good, and no other
# critical violations are found, let it flow.
#
- name: No TE/CL headers, some others are non-compliant
uri: /foo/bar
method: PUT
version: HTTP/1.1
headers:
- name: "x-my-custom-header "
value: "some value"
tier: NonCompliant
- name: "x-my-second-custom-header"
value: "some value"
tier: Compliant
expected:
tier: Acceptable
reason: NonCompliantHeader
required_message_items:
- "x-my-custom-header"
- name: TE and some others are non-compliant
uri: /foo/bar
method: PUT
version: HTTP/1.1
headers:
- name: "x-my-custom-header "
value: "some value"
tier: NonCompliant
- name: "Transfer-Encoding"
value: "chunked"
tier: Compliant
expected:
tier: Acceptable
reason: NonCompliantHeader
required_message_items:
- "x-my-custom-header"
- name: A non-essential header with a non-printable character (x01)
uri: /foo/bar
method: PUT
version: HTTP/1.1
headers:
- name: "\x01x-my-custom-header"
value: "some value"
tier: NonCompliant
- name: "Transfer-Encoding"
value: "chunked"
tier: Compliant
expected:
tier: Acceptable
reason: NonCompliantHeader
required_message_items:
- "x-my-custom-header"
- name: CL and some others are non-compliant
uri: /foo/bar
method: PUT
version: HTTP/1.1
headers:
- name: "x-my-custom-header "
value: "some value"
tier: NonCompliant
- name: "Content-Length"
value: 10000
tier: Compliant
expected:
tier: Acceptable
reason: NonCompliantHeader
required_message_items:
- "x-my-custom-header"
# https://tools.ietf.org/html/rfc7231#section-4.3
# A payload within a GET/HEAD request message has no defined semantics.
# However, Content-Length: 0 is safe for GET/HEAD
- name: 'Get with a body and Content-Length:0'
uri: /foo/bar
method: GET
version: HTTP/1.1
headers:
- name: Content-Length
value: 0
tier: NonCompliant
expected:
tier: Acceptable
reason: GetHeadZeroContentLength
required_message_items:
- "Content-Length"
- name: 'Get with a body and Content-Length:0'
uri: /foo/bar
method: HEAD
version: HTTP/1.1
headers:
- name: Content-Length
value: 0
tier: NonCompliant
expected:
tier: Acceptable
reason: GetHeadZeroContentLength
required_message_items:
- "Content-Length"
- name: "Non-RFC, but OK HTTP/0.9"
uri: /foo/bar
method: GET
version: HTTP/0.9
headers:
- name: X-My-Header
value: some value
tier: Compliant
expected:
tier: Acceptable
reason: NonCompliantVersion
- name: "Empty version, which means HTTP/0.9"
uri: /foo/bar
method: GET
version: ""
headers:
- name: X-My-Header
value: some value
tier: Compliant
expected:
tier: Acceptable
reason: NonCompliantVersion
- name: "Unknown but OK HTTP/1.2"
uri: /foo/bar
method: GET
version: HTTP/1.2
headers:
- name: X-My-Header
value: some value
tier: Compliant
expected:
tier: Acceptable
reason: NonCompliantVersion