Skip to content

Add directional tests for control characters in the request line #1087

Description

@He-Pin

Motivation

A request-smuggling class of vulnerability exists when HTTP parsers silently strip boundary control bytes (NUL, CR, LF, VT, FF) from the version token before matching — see netty/netty#16970.

Pekko HTTP uses a fundamentally different parsing strategy — byte-by-byte exact matching at fixed offsets in HttpMessageParser.parseProtocol (HttpMessageParser.scala:130-140) with no trim() or whitespace/control-character stripping. Analysis confirms that Pekko HTTP is not affected by this vulnerability: the NUL byte is consumed into the URI by parseRequestTarget and rejected by the URI parser before the version token is ever reached.

However, no existing test in RequestParserSpec exercises this code path with control characters. A directional test should be added to lock in this behavior and prevent regressions from future parsing refactors.

Modification

Add directional test cases to RequestParserSpec that verify control characters (NUL) in the request line are rejected with an appropriate error status.

Result

The test suite will explicitly cover the control-character-in-request-line scenario, ensuring that Pekko HTTP continues to reject such malformed requests and that any future parsing changes do not introduce a trim-based vulnerability.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions