Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reject unimplemented/nonstandard HTTP methods at the edge. #79

Closed
sengi opened this issue May 16, 2024 · 0 comments · Fixed by #103
Closed

Reject unimplemented/nonstandard HTTP methods at the edge. #79

sengi opened this issue May 16, 2024 · 0 comments · Fixed by #103
Assignees
@nimalank7
Labels
security Security-related issue or enhancement (DO NOT USE PUBLIC ISSUES FOR 0-days obvs!)

Comments

@sengi
Copy link
Contributor

sengi commented May 16, 2024
edited
Loading

Kudos to @richardTowers for data and proof of concept.

supporting data 
select method, count(*)
from fastly_logs.govuk_www
where year=2024 and month=5
and method not in ('GET','HEAD','POST','PUT','DELETE','CONNECT','OPTIONS','TRACE','PATCH','FASTLYPURGE')
group by method
order by count(*) desc;

#	method	_col1
1	DEBUG	23086
2	TENB	14458
3	PROPFIND	7700
4	HEADX	4029
5	TRACK	3
6	BVRPGMCC	1
7	CET	1
8	get	1
9	INDEX	1

I'm pretty sure we can also nuke CONNECT and TRACE.
@sengi sengi self-assigned this May 16, 2024
@sengi sengi removed their assignment Jun 28, 2024
@sengi sengi added the security Security-related issue or enhancement (DO NOT USE PUBLIC ISSUES FOR 0-days obvs!) label Jun 28, 2024
@nimalank7 nimalank7 self-assigned this Aug 20, 2024
nimalank7 added a commit that referenced this issue Aug 30, 2024
@nimalank7
Reject non-standard HTTP methods at edge
72a03d0 
Description:
- Previously non-standard/unimplemented HTTP requests such as `DEBUG` will pass through Fastly and hit the origin where nginx rejects them as 501. See [MDN documentation](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/501)
as to why this is the appropriate status code to return
- Here Fastly is configured to throw a 501 and return custom HTML. The error code `806` and not `805` is used as the latter is used by `_security_txt_response.vcl` in the [shared VCL](https://github.com/alphagov/govuk-fastly/blob/main/modules/shared/_security_txt_response.vcl)
- `FASTLYPURGE` is how the non-standard `PURGE` method appears in [VCL](https://www.fastly.com/documentation/reference/vcl/variables/client-request/req-method/)
- Tested in integration and staging:

```
curl -w '\n%{http_code}\n' -X DEBUG https://www.staging.publishing.service.gov.uk

        <!DOCTYPE html>
        <html>
          <head>
            <title>Welcome to GOV.UK</title>
            <style>
              body { font-family: Arial, sans-serif; margin: 0; }
              header { background: black; }
              h1 { color: white; font-size: 29px; margin: 0 auto; padding: 10px; max-width: 990px; }
              p { color: black; margin: 30px auto; max-width: 990px; }
            </style>
          </head>
          <body>
501
```

- See [proof of concept here](#78) with data to show that it won't block anything unintentionally
- Closes #79
@nimalank7 nimalank7 mentioned this issue Aug 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nimalank7 nimalank7

Labels
security Security-related issue or enhancement (DO NOT USE PUBLIC ISSUES FOR 0-days obvs!)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Reject non-standard HTTP methods at edge alphagov/govuk-fastly
2 participants
@sengi @nimalank7