Don't allow suspicious HTTP requests to go through

NEW
Assigned to

Status

2 years ago
2 months ago

People

(Reporter: mat, Assigned: wezhou)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
We've seen several instances of weird HTTP requests in the logs over time. Recently, that one was caught in the logs:

1496338081.111 502 /ga-IE/firefox/tag/.pdf?atype=9&cat=unexisting/../../../../../../../../../../windows/win.ini.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x
5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\
x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5C.\x5<snip>\x5C.\x5C&from=/he/firefox/tag/.pdf%3ffrom=/en-US/firefox/tag/.pdf&lang=bg&page=16&sort=created 


We should ban such requests entirely, they are never going to be legitimate. From that one we can enact 3 different rules:
- Requests with a super long URL, say more than 2048 characters, should not be allowed. (That one has 6363 characters total)
- Requests with more than 5 instance of "../" should not be allowed
- Requests with more than 5 instances of "\" (\x5C) should not be allowed

For those denied requests an appropriate error code should be returned instead of letting the request go through the app.

I've just picked the limits arbitrarily, feel free to disagree :)

Updated

2 months ago
Assignee: nobody → wezhou
You need to log in before you can comment on or make changes to this bug.