data-api-builder
data-api-builder copied to clipboard
Azure
`x-ms-api-role` header length restriction enforcement
3.) Evaluate whether we need additional restrictions on the custom client role header (x-ms-api-role) such as max length allowed for the header value, if exceeded, we don’t even process/reject request.
Check OWASP site for any security related guidance, if any, regarding header max length
As per HTTP RFC here: "HTTP does not place a predefined limit on the length of each header field or on the length of the header section as a whole, as described in Section 2.5. Various ad hoc limitations on individual header field length are found in practice, often depending on the specific field semantics. A server that receives a request header field, or set of fields, larger than it wishes to process MUST respond with an appropriate 4xx (Client Error) status code. Ignoring such header fields would increase the server's vulnerability to request smuggling attacks A client MAY discard or truncate received header fields that are larger than the client wishes to process if the field semantics are such that the dropped value(s) can be safely ignored without changing the message framing or response semantics."
As per these articles: What is the maximum size of HTTP header values? and Maximum on HTTP header values?
Servers have their custom limit on header size like:
Apache : 8K
IIS : 16K
exceeding which they will return 413 Entity Too Large exception.
-
So one option is that if the length of the X-MS-API-ROLE header is greater than the allowed limit that we impose, we just ignore the header as if it wasn't present at all in the request.
-
We throw an Entity Too Large exception (http status code: 413)
Looks like Kestrel (Asp.net) has limit default to 32KB https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.kestrel.core.kestrelserverlimits.maxrequestheaderstotalsize?view=aspnetcore-6.0
Look through some of these to see if we might need to consider additional security measures. And whether Asp.net has built in features/mitigations
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#input-validation
Look through some of these to see if we might need to consider additional security measures. And whether Asp.net has built in features/mitigations
https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html#input-validation
I went through this, the only things I see we might want to include are:
-
Verify the Content-Type we are getting in the request. At this point, even if we send
text/htmlor any other data type but still send a valid json request body, the request goes through fine. We can impose a check Content-Type isapplication/json(in case of REST), where we can throw appropriate exception on the check failure. -
Similarly, we will be returning
application/jsonin response body. So, if a request specifies any other content-type in theAcceptheader, we fail the request throwing appropriate exception.
Discussed about the issue with [email protected] with regards to Phoenix runtime: He informed me that currently they are planning on passing on the below headers:
-
X-MS-API-ROLE -
X-MS-CLIENT-PRINCIPAL -
Content-Type
He told me that it should be fine to forward the Accept header as well.
Discussed with [email protected] with regards to SWA:
In his own words "we're discussing in general how to handle proxying headers so it will be a bit for us to finalize and deploy the change, but content-type is something we were planning to forward anyways. I think for graphql it's needed since there's supposed to be support for a special content-type application/graphql".
Sounds like they are already planning to pass on the Content-Type and can also pass Accept header as well but it'll take some time to implement it on their side.
Thanks for following up with those individuals to provide more context here, Ayush!
@Aniruddh25 we might have to move this as well to Jan2023 as we still need SWA->Phoenix to proxy those headers first all the way to DAB.