fix(l7): reject duplicate Content-Length headers to prevent request smuggling (CWE-444) (#663)

latenighthackathon · web-flow · commit 0ac1fbd21b50 · 2026-03-29T16:24:08.000-07:00
* fix(l7): reject duplicate Content-Length headers to prevent request smuggling Both parse_body_length() in rest.rs and try_parse_http_request() in inference.rs silently accepted multiple Content-Length headers, overwriting with the last value seen. Per RFC 7230 Section 3.3.3, a message with multiple Content-Length headers with differing values must be rejected to prevent HTTP request smuggling (CWE-444). An attacker could send conflicting Content-Length values causing the proxy and downstream server to disagree on message boundaries. Fix: - rest.rs: detect duplicate CL headers with differing values and return an error before forwarding - inference.rs: add ParseResult::Invalid variant; detect duplicate CL headers and return Invalid with a descriptive reason - proxy.rs: handle ParseResult::Invalid by sending HTTP 400 and denying the connection Closes #637 Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com> * fix(l7): address review feedback on Content-Length smuggling defense - inference.rs: reject unparseable Content-Length values instead of silently defaulting to 0 via unwrap_or(0) - rest.rs: reject unparseable Content-Length values so a valid+invalid duplicate pair cannot bypass the differing-values check - rest.rs: fix Transfer-Encoding substring match (.contains("chunked") → split/trim exact match) to align with inference.rs and prevent false positives on values like "chunkedx" - proxy.rs: log parsing details server-side via tracing::warn and return generic "Bad Request" body instead of leaking internal parsing reasons to sandboxed code - Add tests for all new rejection paths in inference.rs and rest.rs Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com> * style(l7): apply cargo fmt formatting Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com> --------- Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com> Co-authored-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
diff --git a/crates/openshell-sandbox/src/l7/inference.rs b/crates/openshell-sandbox/src/l7/inference.rs
@@ -96,6 +96,8 @@ pub enum ParseResult {
     Complete(ParsedHttpRequest, usize),
     /// Headers are incomplete — caller should read more data.
     Incomplete,
+    /// The request is malformed and must be rejected (e.g., duplicate Content-Length).
+    Invalid(String),
 }
 
 /// Try to parse an HTTP/1.1 request from raw bytes.
@@ -125,6 +127,7 @@ pub fn try_parse_http_request(buf: &[u8]) -> ParseResult {
 
     let mut headers = Vec::new();
     let mut content_length: usize = 0;
+    let mut has_content_length = false;
     let mut is_chunked = false;
     for line in lines {
         if line.is_empty() {
@@ -134,7 +137,21 @@ pub fn try_parse_http_request(buf: &[u8]) -> ParseResult {
             let name = name.trim().to_string();
             let value = value.trim().to_string();
             if name.eq_ignore_ascii_case("content-length") {
-                content_length = value.parse().unwrap_or(0);
+                let new_len: usize = match value.parse() {
+                    Ok(v) => v,
+                    Err(_) => {
+                        return ParseResult::Invalid(format!(
+                            "invalid Content-Length value: {value}"
+                        ));
+                    }
+                };
+                if has_content_length && new_len != content_length {
+                    return ParseResult::Invalid(format!(
+                        "duplicate Content-Length headers with differing values ({content_length} vs {new_len})"
+                    ));
+                }
+                content_length = new_len;
+                has_content_length = true;
             }
             if name.eq_ignore_ascii_case("transfer-encoding")
                 && value
@@ -552,4 +569,43 @@ mod tests {
         };
         assert_eq!(parsed.body.len(), 100);
     }
+
+    // ---- SEC: Content-Length validation ----
+
+    #[test]
+    fn reject_differing_duplicate_content_length() {
+        let request = b"POST /v1/chat/completions HTTP/1.1\r\nHost: x\r\nContent-Length: 0\r\nContent-Length: 50\r\n\r\n";
+        assert!(matches!(
+            try_parse_http_request(request),
+            ParseResult::Invalid(reason) if reason.contains("differing values")
+        ));
+    }
+
+    #[test]
+    fn accept_identical_duplicate_content_length() {
+        let request = b"POST /v1/chat/completions HTTP/1.1\r\nHost: x\r\nContent-Length: 5\r\nContent-Length: 5\r\n\r\nhello";
+        let ParseResult::Complete(parsed, _) = try_parse_http_request(request) else {
+            panic!("expected Complete for identical duplicate CL");
+        };
+        assert_eq!(parsed.body, b"hello");
+    }
+
+    #[test]
+    fn reject_non_numeric_content_length() {
+        let request =
+            b"POST /v1/chat/completions HTTP/1.1\r\nHost: x\r\nContent-Length: abc\r\n\r\n";
+        assert!(matches!(
+            try_parse_http_request(request),
+            ParseResult::Invalid(reason) if reason.contains("invalid Content-Length")
+        ));
+    }
+
+    #[test]
+    fn reject_two_non_numeric_content_lengths() {
+        let request = b"POST /v1/chat/completions HTTP/1.1\r\nHost: x\r\nContent-Length: abc\r\nContent-Length: def\r\n\r\n";
+        assert!(matches!(
+            try_parse_http_request(request),
+            ParseResult::Invalid(_)
+        ));
+    }
 }
diff --git a/crates/openshell-sandbox/src/l7/rest.rs b/crates/openshell-sandbox/src/l7/rest.rs
@@ -242,14 +242,22 @@ fn parse_body_length(headers: &str) -> Result<BodyLength> {
         let lower = line.to_ascii_lowercase();
         if lower.starts_with("transfer-encoding:") {
             let val = lower.split_once(':').map_or("", |(_, v)| v.trim());
-            if val.contains("chunked") {
+            if val.split(',').any(|enc| enc.trim() == "chunked") {
                 has_te_chunked = true;
             }
         }
-        if lower.starts_with("content-length:")
-            && let Some(val) = lower.split_once(':').map(|(_, v)| v.trim())
-            && let Ok(len) = val.parse::<u64>()
-        {
+        if lower.starts_with("content-length:") {
+            let val = lower.split_once(':').map_or("", |(_, v)| v.trim());
+            let len: u64 = val
+                .parse()
+                .map_err(|_| miette!("Request contains invalid Content-Length value"))?;
+            if let Some(prev) = cl_value {
+                if prev != len {
+                    return Err(miette!(
+                        "Request contains multiple Content-Length headers with differing values ({prev} vs {len})"
+                    ));
+                }
+            }
             cl_value = Some(len);
         }
     }
@@ -702,6 +710,59 @@ mod tests {
         );
     }
 
+    /// SEC: Reject differing duplicate Content-Length headers.
+    #[test]
+    fn reject_differing_duplicate_content_length() {
+        let headers =
+            "POST /api HTTP/1.1\r\nHost: x\r\nContent-Length: 0\r\nContent-Length: 50\r\n\r\n";
+        assert!(
+            parse_body_length(headers).is_err(),
+            "Must reject differing duplicate Content-Length"
+        );
+    }
+
+    /// SEC: Accept identical duplicate Content-Length headers.
+    #[test]
+    fn accept_identical_duplicate_content_length() {
+        let headers =
+            "POST /api HTTP/1.1\r\nHost: x\r\nContent-Length: 42\r\nContent-Length: 42\r\n\r\n";
+        match parse_body_length(headers).unwrap() {
+            BodyLength::ContentLength(42) => {}
+            other => panic!("Expected ContentLength(42), got {other:?}"),
+        }
+    }
+
+    /// SEC: Reject non-numeric Content-Length values.
+    #[test]
+    fn reject_non_numeric_content_length() {
+        let headers = "POST /api HTTP/1.1\r\nHost: x\r\nContent-Length: abc\r\n\r\n";
+        assert!(
+            parse_body_length(headers).is_err(),
+            "Must reject non-numeric Content-Length"
+        );
+    }
+
+    /// SEC: Reject when second Content-Length is non-numeric (bypass test).
+    #[test]
+    fn reject_valid_then_invalid_content_length() {
+        let headers =
+            "POST /api HTTP/1.1\r\nHost: x\r\nContent-Length: 42\r\nContent-Length: abc\r\n\r\n";
+        assert!(
+            parse_body_length(headers).is_err(),
+            "Must reject when any Content-Length is non-numeric"
+        );
+    }
+
+    /// SEC: Transfer-Encoding substring match must not match partial tokens.
+    #[test]
+    fn te_substring_not_chunked() {
+        let headers = "POST /api HTTP/1.1\r\nHost: x\r\nTransfer-Encoding: chunkedx\r\n\r\n";
+        match parse_body_length(headers).unwrap() {
+            BodyLength::None => {}
+            other => panic!("Expected None for non-matching TE, got {other:?}"),
+        }
+    }
+
     /// SEC-009: Bare LF in headers enables header injection.
     #[tokio::test]
     async fn reject_bare_lf_in_headers() {
diff --git a/crates/openshell-sandbox/src/proxy.rs b/crates/openshell-sandbox/src/proxy.rs
@@ -943,6 +943,12 @@ async fn handle_inference_interception(
                     buf.resize((buf.len() * 2).min(MAX_INFERENCE_BUF), 0);
                 }
             }
+            ParseResult::Invalid(reason) => {
+                warn!(reason = %reason, "rejecting malformed inference request");
+                let response = format_http_response(400, &[], b"Bad Request");
+                write_all(&mut tls_client, &response).await?;
+                return Ok(InferenceOutcome::Denied { reason });
+            }
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -943,6 +943,12 @@ async fn handle_inference_interception(`
`943`	`943`	`buf.resize((buf.len() * 2).min(MAX_INFERENCE_BUF), 0);`
`944`	`944`	`}`
`945`	`945`	`}`
	`946`	`+ ParseResult::Invalid(reason) => {`
	`947`	`+ warn!(reason = %reason, "rejecting malformed inference request");`
	`948`	`+ let response = format_http_response(400, &[], b"Bad Request");`
	`949`	`+ write_all(&mut tls_client, &response).await?;`
	`950`	`+ return Ok(InferenceOutcome::Denied { reason });`
	`951`	`+ }`
`946`	`952`	`}`
`947`	`953`	`}`
`948`	`954`