Allow only normalized URLs in requests #43765
Conversation
a96522d to
6ffc54f
Compare
6ffc54f to
fb72910
Compare
quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
Outdated
Show resolved
Hide resolved
...ntime/src/main/java/org/keycloak/quarkus/runtime/services/RejectNonNormalizedPathFilter.java
Show resolved
Hide resolved
mabartos
left a comment
There was a problem hiding this comment.
Last comments, otherwise LGTM.
| .description("If the server should accept paths that are not normalized according to RFC3986 or that contain a double slash ('//'). While accepting those requests might be relevant for legacy applications, it is recommended to disable it to allow for more concise URL filtering.") | ||
| .buildTime(true) | ||
| .deprecated() |
There was a problem hiding this comment.
| .description("If the server should accept paths that are not normalized according to RFC3986 or that contain a double slash ('//'). While accepting those requests might be relevant for legacy applications, it is recommended to disable it to allow for more concise URL filtering.") | |
| .buildTime(true) | |
| .deprecated() | |
| .description("If the server should accept paths that are not normalized according to RFC3986 or that contain a double slash ('//'). While accepting those requests might be relevant for legacy applications, it is recommended to disable it to allow for more concise URL filtering.") | |
| .deprecated() |
It might not be necessary to have it as a build-time option.
There was a problem hiding this comment.
I'm adding the filter to a build time option ... so I'd assume it is build time? Or do you suggest to always add the filter, and then parameterize it?
There was a problem hiding this comment.
@ahus1 These filters are actually added during the static init phase (Record(ExecutionTime.STATIC_INIT)) and not created during the augmentation.
It's always better to have an option configurable at runtime if it's only some marker of behavior checked in runtime anyway.
If you remove the buildTime(true) here and add the @Consume(ConfigBuildItem.class) as described in the additional comments, it should be fine :)
There was a problem hiding this comment.
I gave it a try, and then the test did no longer pass. I reverted the change.
quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
Outdated
Show resolved
Hide resolved
...ntime/src/main/java/org/keycloak/quarkus/runtime/services/RejectNonNormalizedPathFilter.java
Show resolved
Hide resolved
quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
Show resolved
Hide resolved
quarkus/deployment/src/main/java/org/keycloak/quarkus/deployment/KeycloakProcessor.java
Outdated
Show resolved
Hide resolved
| .description("If the server should accept paths that are not normalized according to RFC3986 or that contain a double slash ('//'). While accepting those requests might be relevant for legacy applications, it is recommended to disable it to allow for more concise URL filtering.") | ||
| .buildTime(true) | ||
| .deprecated() |
There was a problem hiding this comment.
@ahus1 These filters are actually added during the static init phase (Record(ExecutionTime.STATIC_INIT)) and not created during the augmentation.
It's always better to have an option configurable at runtime if it's only some marker of behavior checked in runtime anyway.
If you remove the buildTime(true) here and add the @Consume(ConfigBuildItem.class) as described in the additional comments, it should be fine :)
57a9e46 to
ed95fc3
Compare
vmuzikar
left a comment
There was a problem hiding this comment.
@ahus1 Thank you for the PR.
I'm not sure if I'm doing something wrong (probably yes as the tests pass) but if I do something as simple as curl -v http://localhost:8080/realms/xxx/../master/, I get 200 response instead of 400.
| "Specify a list of comma-separated values defined in milliseconds. Example with buckets from 5ms to 10s: 5,10,25,50,250,500,1000,2500,5000,10000") | ||
| .build(); | ||
|
|
||
| public static final Option<Boolean> HTTP_ACCEPT_NON_NORMALIZED_PATHS = new OptionBuilder<>("http-accept-non-normalized-paths", Boolean.class) |
There was a problem hiding this comment.
Do we really want to make it configurable? It's a breaking change but to fix a security issue. What would be a real and valid use case for the non-normalized paths?
Sorry if this has been already discussed somewhere.
There was a problem hiding this comment.
What would be a real and valid use case for the non-normalized paths?
I would say adding .. to the path is not a valid use case, maybe someone used it as a workaround for some issue in a machine-to-machine communication.
The most common thing I could think of is a double // in the URL, where someone might have concatenated URLs, and they end up with two //. We would break those setups. And to back out of such a setup, there is this option to revert it. And it is deprecated, so we can remove it again soon - like in 27.0
There was a problem hiding this comment.
I'd say if someone uses // it's probably an oversight and a misconfiguration. So having it configurable is more like a convenience feature. But it's not a blocker for me, let's keep it there.
curl needs --path-as-is otherwise it will do the normalization. |
Thanks, sorry for the noise. What confused me is that even browser normalized the path (did not get 400). |
ed95fc3 to
b9d2ae0
Compare
Closes keycloak#43763 Co-authored-by: Martin Bartoš <[email protected]> Signed-off-by: Martin Bartoš <[email protected]> Signed-off-by: Alexander Schwartz <[email protected]>
f25b740 to
9274d24
Compare
|
@mabartos - thank you for the PR. I merge it to this branch, rebased it, and fixed the help test. Let's wait for the build to be green. |
|
@ahus1 @mabartos, is this the fix for CVE-2025-10939? |
Yes. |
Closes keycloak#43763 Signed-off-by: Martin Bartoš <[email protected]> Signed-off-by: Alexander Schwartz <[email protected]> Co-authored-by: Martin Bartoš <[email protected]>
Closes #43763