fail if user tries writing bytes after request is sent

[artemredkin]

Fail if user tries writing body parts after request is sent.

Motivation:
This is could be a security issue.

Modifications:

1. Check state when writing body parts and fail if its not idle
2. Added a test

Result:
Closes #252

[Lukasa]

LGTM, nice patch

[weissi]

This looks good! Left a few comments because I think some details aren't quite right yet.

[weissi]

aren't we leaking the group here? It needs to be stopped.

[artemredkin]

oops, we do

[artemredkin]

fixed

[weissi]

This can't be quite right (and I think we should have a test for this). We're calling out to the user here before we change our state. So we may get user code "sandwiched in" here.

[artemredkin]

I've re-ordered things, not sure yet how to test it though, I'll have to get access to a handlers internal state... Could you elaborate on "sandwiched" code a bit?

[weissi]

@artemredkin sure. If you do promise.fail(...), then the promise's whenFailure and other code will run inline here. So we detected an error (ie. we should be in state .endOrError) but we call out before we entered the .endOrError state. So if the user for example uses another method that does a state check, we potentially have an issue because their code runs before the self.state = .endOrError so they won't see it. That could lead us to make wrong decisions.

[artemredkin]

ah, that is so obvious now :) I'll think about how to test this

[artemredkin]

@Lukasa could you pick up from Johannes here? I've added a test to verify that if delegate is called here, state is changed. I haven't figured out how to attach anything to that promise though... It seems that I need to have access to channel.write(HTTPClient.request, promise), and I don't think anything in the code can attach to it

[weissi]

I think (would need a test here too) that we're policing the body length too late here, no? We seem to just add the readableBytes but I can't see that we check that it's actually less than or equal the number of body bytes allowed.

What happens if we do say content-length: 1 and then send XABCDEFG, aren't we then still sending ABCDEFG? I think we are and that'd be a security vulnerability because we could smuggle a request (say we did XGET /something HTTP/1.1\r\n\r\n

[artemredkin]

thats a great point, yeah, we only check in the end, let me see how I can handle it here

[artemredkin]

ok, I added an early fail here

[weissi]

@artemredkin this looks good but given that it's security relevant, could we add a test specifically for that case (one that'd fail without the new condition)

[artemredkin]

we already have it, by accident, we have two tests for content-length/body-length checks:

• testContentLengthTooLongFails
• testContentLengthTooShortFails
  Last one will fail at the end of the request, before we send .end, but the first one will now be failed by this new check

[artemredkin]

Potentially we can split the error message, just to be sure

[weissi]

@artemredkin I think we need a new one that tests that we do not send the bytes.

[weissi]

Because as soon as the bytes are on the wire, we created a security vulnerability. Even if we detect later that something's wrong, it'll be too late.

[artemredkin]

@Lukasa same here, I've added a test to check that we do not send more bytes then body length, although I'm not 100% sure its foolproof

[Lukasa]

One note in the test.

Regarding the promise that Johannes was talking about, you cannot attach to it directly so it does not immediately matter. In practice it will trigger the callouts to the delegate first: if those callouts are safe, the rest will be too.

[Lukasa]

We can also check on the EmbeddedChannel that only the bytes we expected got written (i.e. the HTTP request head and nothing else, indicating that the check fired before the write did.

[artemredkin]

great idea, done!

[Lukasa]

Sadly I don't have admin on this repo, so we'll need @tomerd to dismiss @weissi's out-of-date review.

later review by @Lukasa

[tomerd]

@Lukasa go ahead

[tomerd]

cc @ktoso