1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
|
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
using System.Buffers;
using System.Diagnostics;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Infrastructure;
namespace Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http;
using BadHttpRequestException = Microsoft.AspNetCore.Http.BadHttpRequestException;
/// <summary>
/// This API supports framework infrastructure and is not intended to be used
/// directly from application code.
/// </summary>
/// <typeparam name="TRequestHandler">This API supports framework infrastructure and is not intended to be used
/// directly from application code.</typeparam>
public class HttpParser<TRequestHandler> : IHttpParser<TRequestHandler> where TRequestHandler : IHttpHeadersHandler, IHttpRequestLineHandler
{
private readonly bool _showErrorDetails;
private readonly bool _disableHttp1LineFeedTerminators;
/// <summary>
/// This API supports framework infrastructure and is not intended to be used
/// directly from application code.
/// </summary>
public HttpParser() : this(showErrorDetails: true)
{
}
/// <summary>
/// This API supports framework infrastructure and is not intended to be used
/// directly from application code.
/// </summary>
public HttpParser(bool showErrorDetails) : this(showErrorDetails, AppContext.TryGetSwitch(KestrelServerOptions.DisableHttp1LineFeedTerminatorsSwitchKey, out var disabled) && disabled)
{
}
internal HttpParser(bool showErrorDetails, bool disableHttp1LineFeedTerminators)
{
_showErrorDetails = showErrorDetails;
_disableHttp1LineFeedTerminators = disableHttp1LineFeedTerminators;
}
// byte types don't have a data type annotation so we pre-cast them; to avoid in-place casts
private const byte ByteCR = (byte)'\r';
private const byte ByteLF = (byte)'\n';
private const byte ByteColon = (byte)':';
private const byte ByteSpace = (byte)' ';
private const byte ByteTab = (byte)'\t';
private const byte ByteQuestionMark = (byte)'?';
private const byte BytePercentage = (byte)'%';
private const int MinTlsRequestSize = 1; // We need at least 1 byte to check for a proper TLS request line
/// <summary>
/// This API supports framework infrastructure and is not intended to be used
/// directly from application code.
/// </summary>
public bool ParseRequestLine(TRequestHandler handler, ref SequenceReader<byte> reader)
{
if (reader.TryReadTo(out ReadOnlySpan<byte> requestLine, ByteLF, advancePastDelimiter: true))
{
ParseRequestLine(handler, requestLine);
return true;
}
return false;
}
private void ParseRequestLine(TRequestHandler handler, ReadOnlySpan<byte> requestLine)
{
// Get Method and set the offset
var method = requestLine.GetKnownMethod(out var methodEnd);
if (method == HttpMethod.Custom)
{
methodEnd = GetUnknownMethodLength(requestLine);
}
var versionAndMethod = new HttpVersionAndMethod(method, methodEnd);
// Use a new offset var as methodEnd needs to be on stack
// as its passed by reference above so can't be in register.
// Skip space
var offset = methodEnd + 1;
if ((uint)offset >= (uint)requestLine.Length)
{
// Start of path not found
RejectRequestLine(requestLine);
}
var ch = requestLine[offset];
if (ch == ByteSpace || ch == ByteQuestionMark || ch == BytePercentage)
{
// Empty path is illegal, or path starting with percentage
RejectRequestLine(requestLine);
}
// Target = Path and Query
var targetStart = offset;
var pathEncoded = false;
// Skip first char (just checked)
offset++;
// Find end of path and if path is encoded
for (; (uint)offset < (uint)requestLine.Length; offset++)
{
ch = requestLine[offset];
if (ch == ByteSpace || ch == ByteQuestionMark)
{
// End of path
break;
}
else if (ch == BytePercentage)
{
pathEncoded = true;
}
}
var path = new TargetOffsetPathLength(targetStart, length: offset - targetStart, pathEncoded);
// Query string
if (ch == ByteQuestionMark)
{
// We have a query string
for (; (uint)offset < (uint)requestLine.Length; offset++)
{
ch = requestLine[offset];
if (ch == ByteSpace)
{
break;
}
}
}
var queryEnd = offset;
// Consume space
offset++;
while ((uint)offset < (uint)requestLine.Length
&& requestLine[offset] == ByteSpace)
{
// It's invalid to have multiple spaces between the url resource and version
// but some clients do it. Skip them.
offset++;
}
// Version + CR is 9 bytes which should take us to .Length
// LF should have been dropped prior to method call
if ((uint)offset + 9 != (uint)requestLine.Length || requestLine[offset + 8] != ByteCR)
{
// LF should have been dropped prior to method call
// If !_disableHttp1LineFeedTerminators and offset + 8 is .Length,
// then requestLine is valid since it means LF was the next char
if (_disableHttp1LineFeedTerminators || (uint)offset + 8 != (uint)requestLine.Length)
{
RejectRequestLine(requestLine);
}
}
// Version
var remaining = requestLine.Slice(offset);
var httpVersion = remaining.GetKnownVersion();
versionAndMethod.Version = httpVersion;
if (httpVersion == HttpVersion.Unknown)
{
// HTTP version is unsupported.
RejectUnknownVersion(remaining);
}
// We need to reinterpret from ReadOnlySpan into Span to allow path mutation for
// in-place normalization and decoding to transform into a canonical path
var startLine = MemoryMarshal.CreateSpan(ref MemoryMarshal.GetReference(requestLine), queryEnd);
handler.OnStartLine(versionAndMethod, path, startLine);
}
/// <summary>
/// This API supports framework infrastructure and is not intended to be used
/// directly from application code.
/// </summary>
public bool ParseHeaders(TRequestHandler handler, ref SequenceReader<byte> reader)
{
while (!reader.End)
{
// Check if the reader's span contains an LF to skip the reader if possible
var span = reader.UnreadSpan;
// Fast path, CR/LF at the beginning
if (span.Length >= 2 && span[0] == ByteCR && span[1] == ByteLF)
{
reader.Advance(2);
handler.OnHeadersComplete(endStream: false);
return true;
}
var foundCrlf = false;
var lfOrCrIndex = span.IndexOfAny(ByteCR, ByteLF);
if (lfOrCrIndex >= 0)
{
if (span[lfOrCrIndex] == ByteCR)
{
// We got a CR. Is this a CR/LF sequence?
var crIndex = lfOrCrIndex;
reader.Advance(crIndex + 1);
bool hasDataAfterCr;
if ((uint)span.Length > (uint)(crIndex + 1) && span[crIndex + 1] == ByteLF)
{
// CR/LF in the same span (common case)
span = span.Slice(0, crIndex);
foundCrlf = true;
}
else if ((hasDataAfterCr = reader.TryPeek(out byte lfMaybe)) && lfMaybe == ByteLF)
{
// CR/LF but split between spans
span = span.Slice(0, span.Length - 1);
foundCrlf = true;
}
else
{
// What's after the CR?
if (!hasDataAfterCr)
{
// No more chars after CR? Don't consume an incomplete header
reader.Rewind(crIndex + 1);
return false;
}
else if (crIndex == 0)
{
// CR followed by something other than LF
KestrelBadHttpRequestException.Throw(RequestRejectionReason.InvalidRequestHeadersNoCRLF);
}
else
{
// Include the thing after the CR in the rejection exception.
var stopIndex = crIndex + 2;
RejectRequestHeader(span[..stopIndex]);
}
}
if (foundCrlf)
{
// Advance past the LF too
reader.Advance(1);
// Empty line?
if (crIndex == 0)
{
handler.OnHeadersComplete(endStream: false);
return true;
}
}
}
else
{
// We got an LF with no CR before it.
var lfIndex = lfOrCrIndex;
if (_disableHttp1LineFeedTerminators)
{
RejectRequestHeader(AppendEndOfLine(span[..lfIndex], lineFeedOnly: true));
}
// Consume the header including the LF
reader.Advance(lfIndex + 1);
span = span.Slice(0, lfIndex);
if (span.Length == 0)
{
handler.OnHeadersComplete(endStream: false);
return true;
}
}
}
else
{
// No CR or LF. Is this a multi-span header?
int length = ParseMultiSpanHeader(handler, ref reader);
if (length < 0)
{
// Not multi-line, just bad.
return false;
}
// This was a multi-line header. Advance the reader.
reader.Advance(length);
if (reader.End)
{
return true;
}
continue;
}
// We got to a point where we believe we have a header.
if (!TryTakeSingleHeader(handler, span))
{
// Sequence needs to be CRLF and not contain an inner CR not part of terminator.
// Not parsable as a valid name:value header pair.
RejectRequestHeader(AppendEndOfLine(span, lineFeedOnly: !foundCrlf));
}
}
return false;
}
private static byte[] AppendEndOfLine(ReadOnlySpan<byte> span, bool lineFeedOnly)
{
var array = new byte[span.Length + (lineFeedOnly ? 1 : 2)];
span.CopyTo(array);
array[^1] = ByteLF;
if (!lineFeedOnly)
{
array[^2] = ByteCR;
}
return array;
}
// Parse a header that might cross multiple spans, and return the length of the header
// or -1 if there was a failure during parsing.
private int ParseMultiSpanHeader(TRequestHandler handler, ref SequenceReader<byte> reader)
{
var currentSlice = reader.UnreadSequence;
var lineEndPosition = currentSlice.PositionOfAny(ByteCR, ByteLF);
if (lineEndPosition == null)
{
// Not there.
return -1;
}
SequencePosition lineEnd;
ReadOnlySequence<byte> header;
var firstLineEndCharPos = lineEndPosition.Value;
currentSlice.TryGet(ref firstLineEndCharPos, out var s);
var firstEolChar = s.Span[0];
// Is the first EOL char the last of the current slice?
if (currentSlice.Slice(reader.Position, lineEndPosition.Value).Length == currentSlice.Length - 1)
{
// Get the EOL char
if (firstEolChar == ByteCR)
{
// CR without LF, can't read the header
return -1;
}
else
{
if (_disableHttp1LineFeedTerminators)
{
// LF only but disabled
// Advance 1 to include LF in result
lineEnd = currentSlice.GetPosition(1, lineEndPosition.Value);
RejectRequestHeader(currentSlice.Slice(reader.Position, lineEnd).ToSpan());
}
}
}
// At this point the first EOL char is not the last byte in the current slice
// Offset 1 to include the first EOL char.
firstLineEndCharPos = currentSlice.GetPosition(1, lineEndPosition.Value);
if (firstEolChar == ByteCR)
{
// First EOL char is CR, include the char after CR
lineEnd = currentSlice.GetPosition(2, lineEndPosition.Value);
header = currentSlice.Slice(reader.Position, lineEnd);
}
else if (_disableHttp1LineFeedTerminators)
{
// The terminator is an LF and we don't allow it.
RejectRequestHeader(currentSlice.Slice(reader.Position, firstLineEndCharPos).ToSpan());
return -1;
}
else
{
// First EOL char is LF. only include this one
lineEnd = currentSlice.GetPosition(1, lineEndPosition.Value);
header = currentSlice.Slice(reader.Position, lineEnd);
}
byte[]? array = null;
int length = (int)header.Length;
Span<byte> span = length <= 256 ? stackalloc byte[length] : array = ArrayPool<byte>.Shared.Rent(length);
try
{
header.CopyTo(span);
span = span.Slice(0, length);
// 'a:b\n' or 'a:b\r\n'
var minHeaderSpan = _disableHttp1LineFeedTerminators ? 5 : 4;
if (span.Length < minHeaderSpan)
{
RejectRequestHeader(span);
}
var terminatorSize = -1;
if (span[^1] == ByteLF)
{
if (span[^2] == ByteCR)
{
terminatorSize = 2;
}
else if (!_disableHttp1LineFeedTerminators)
{
terminatorSize = 1;
}
}
// Last chance to bail if the terminator size is not valid or the header doesn't parse.
if (terminatorSize == -1 || !TryTakeSingleHeader(handler, span.Slice(0, span.Length - terminatorSize)))
{
RejectRequestHeader(span);
}
return span.Length;
}
finally
{
if (array is not null)
{
ArrayPool<byte>.Shared.Return(array);
}
}
}
private static bool TryTakeSingleHeader(TRequestHandler handler, ReadOnlySpan<byte> headerLine)
{
// We are looking for a colon to terminate the header name.
// However, the header name cannot contain a space or tab so look for all three
// and see which is found first.
var nameEnd = headerLine.IndexOfAny(ByteColon, ByteSpace, ByteTab);
// If not found length with be -1; casting to uint will turn it to uint.MaxValue
// which will be larger than any possible headerLine.Length. This also serves to eliminate
// the bounds check for the next lookup of headerLine[nameEnd]
if ((uint)nameEnd >= (uint)headerLine.Length)
{
// Colon not found.
return false;
}
// Early memory read to hide latency
var expectedColon = headerLine[nameEnd];
if (nameEnd == 0)
{
// Header name is empty.
return false;
}
if (expectedColon != ByteColon)
{
// Header name space or tab.
return false;
}
// Skip colon to get to the value start.
var valueStart = nameEnd + 1;
// Generally there will only be one space, so we will check it directly
if ((uint)valueStart < (uint)headerLine.Length)
{
var ch = headerLine[valueStart];
if (ch == ByteSpace || ch == ByteTab)
{
// Ignore first whitespace.
valueStart++;
// More header chars?
if ((uint)valueStart < (uint)headerLine.Length)
{
ch = headerLine[valueStart];
// Do a fast check; as we now expect non-space, before moving into loop.
if (ch <= ByteSpace && (ch == ByteSpace || ch == ByteTab))
{
valueStart++;
// Is more whitespace, so we will loop to find the end. This is the slow path.
for (; valueStart < headerLine.Length; valueStart++)
{
ch = headerLine[valueStart];
if (ch != ByteTab && ch != ByteSpace)
{
// Non-whitespace char found, valueStart is now start of value.
break;
}
}
}
}
}
}
var valueEnd = headerLine.Length - 1;
// Ignore end whitespace. Generally there will no spaces
// so we will check the first before moving to a loop.
if (valueEnd > valueStart)
{
var ch = headerLine[valueEnd];
// Do a fast check; as we now expect non-space, before moving into loop.
if (ch <= ByteSpace && (ch == ByteSpace || ch == ByteTab))
{
// Is whitespace so move to loop
valueEnd--;
for (; valueEnd > valueStart; valueEnd--)
{
ch = headerLine[valueEnd];
if (ch != ByteTab && ch != ByteSpace)
{
// Non-whitespace char found, valueEnd is now start of value.
break;
}
}
}
}
// Range end is exclusive, so add 1 to valueEnd
valueEnd++;
handler.OnHeader(name: headerLine.Slice(0, nameEnd), value: headerLine[valueStart..valueEnd]);
return true;
}
[MethodImpl(MethodImplOptions.NoInlining)]
private int GetUnknownMethodLength(ReadOnlySpan<byte> span)
{
var invalidIndex = HttpCharacters.IndexOfInvalidTokenChar(span);
if (invalidIndex <= 0 || span[invalidIndex] != ByteSpace)
{
RejectRequestLine(span);
}
return invalidIndex;
}
private static bool IsTlsHandshake(ReadOnlySpan<byte> requestLine)
{
const byte SslRecordTypeHandshake = (byte)0x16;
// Make sure we can check at least for the existence of a TLS handshake - we check the first byte
// See https://serializethoughts.com/2014/07/27/dissecting-tls-client-hello-message/
return (requestLine.Length >= MinTlsRequestSize && requestLine[0] == SslRecordTypeHandshake);
}
[StackTraceHidden]
private void RejectRequestLine(ReadOnlySpan<byte> requestLine)
{
throw GetInvalidRequestException(
IsTlsHandshake(requestLine) ?
RequestRejectionReason.TlsOverHttpError :
RequestRejectionReason.InvalidRequestLine,
requestLine);
}
[StackTraceHidden]
private void RejectRequestHeader(ReadOnlySpan<byte> headerLine)
=> throw GetInvalidRequestException(RequestRejectionReason.InvalidRequestHeader, headerLine);
[StackTraceHidden]
private void RejectUnknownVersion(ReadOnlySpan<byte> version)
=> throw GetInvalidRequestException(RequestRejectionReason.UnrecognizedHTTPVersion, version[..^1]);
[MethodImpl(MethodImplOptions.NoInlining)]
private BadHttpRequestException GetInvalidRequestException(RequestRejectionReason reason, ReadOnlySpan<byte> headerLine)
=> KestrelBadHttpRequestException.GetException(
reason,
_showErrorDetails
? headerLine.GetAsciiStringEscaped(Constants.MaxExceptionDetailSize)
: string.Empty);
}
|
