Provide more hardening to prevent unexpected media ranges / media types · akka/akka-http#1082

(0 comments) (0 reactions) (0 assignees)Scala (1,311 stars) (598 forks)batch import

1 - triagedhelp wantedt:coret:model

Description

The media range specification is a bit unclear about how to deal with the special * character. In #1072, we observed a bug where different parts of akka-http interpreted it differently.

The most technical specification is the one in RFC 7231 is the one currently implemented:

     media-type = type "/" subtype *( OWS ";" OWS parameter )
     type       = token
     subtype    = token

In https://github.com/akka/akka-http/pull/1075 we change the Accept parser not to accept */xml as a valid media range any more. We should also restrict the type production not to allow * as valid input like this:

def `type`: Rule1[String] = rule {
    '*' ~ failX[HNil, String :: HNil]("'*' is not allowed as the main type of a media type or a media range (diverging from the grammar specified in RFC 7231 section-3.1.1.1) to prevent ambiguities with media ranges like '*/*'") |
      token
  }

and also add code to media range and media type that prevents that those ambiguous instances can be created in the first place. Things that need to be reviewed are acceptsAll and isWildcard.

Contributor guide

Tech stack: None
Domain: backendsecurity
Issue type: bug
Difficulty: 3
Estimated time: half day
Activity status: stale
Clarity: clear
Prerequisites: ScalaHTTP specification (RFC 7231)
Newbie friendliness: 30
Research direction: The issue suggests modifying the `type` rule in the Accept parser to reject '*' and adding checks in media range/type classes. The linked PR #1075 already changes the Accept parser. Investigate the current implementation of `acceptsAll` and `isWildcard` to ensure no ambiguous media ranges can be created.