fix: Rate limit protection against rapid resets (#4324) (#4325)

Author: johanandren

akka-http-core/src/main/resources/reference.conf

@@ -309,6 +309,11 @@ akka.http{
  # Fail the connection if a sent ping is not acknowledged within this timeout.
  # When zero the ping-interval is used, if set the value must be evenly divisible by less than or equal to the ping-interval.
  ping-timeout = 0s
+
+ # Limit the number of RSTs a client is allowed to do on one connection, per interval
+ # Protects against rapid reset attacks. If a connection goes over the limit, it is closed with HTTP/2 protocol error ENHANCE_YOUR_CALM
+ max-resets = 400
+ max-resets-interval = 10s
  }
 
  websocket{

akka-http-core/src/main/scala/akka/http/impl/engine/http2/Http2Blueprint.scala

@@ -10,7 +10,7 @@ import akka.event.LoggingAdapter
 importakka.http.impl.engine.{HttpConnectionIdleTimeoutBidi, HttpIdleTimeoutException }
 importakka.http.impl.engine.http2.FrameEvent._
 importakka.http.impl.engine.http2.client.ResponseParsing
-importakka.http.impl.engine.http2.framing.{FrameRenderer, Http2FrameParsing }
+importakka.http.impl.engine.http2.framing.{FrameRenderer, Http2FrameParsing, RSTFrameLimit }
 importakka.http.impl.engine.http2.hpack.{HeaderCompression, HeaderDecompression }
 importakka.http.impl.engine.parsing.HttpHeaderParser
 importakka.http.impl.engine.rendering.DateHeaderRendering
@@ -108,7 +108,7 @@ private[http] object Http2Blueprint{
  serverDemux(settings.http2Settings, initialDemuxerSettings, upgraded) atop
 FrameLogger.logFramesIfEnabled(settings.http2Settings.logFrames) atop // enable for debugging
  hpackCoding(masterHttpHeaderParser, settings.parserSettings) atop
- framing(log) atop
+ framing(settings.http2Settings, log) atop
  errorHandling(log) atop
  idleTimeoutIfConfigured(settings.idleTimeout)
  }
@@ -168,10 +168,12 @@ private[http] object Http2Blueprint{
 Flow[ByteString]
  )
 
-defframing(log: LoggingAdapter):BidiFlow[FrameEvent, ByteString, ByteString, FrameEvent, NotUsed] =
+defframing(http2ServerSettings: Http2ServerSettings, log: LoggingAdapter):BidiFlow[FrameEvent, ByteString, ByteString, FrameEvent, NotUsed] =
 BidiFlow.fromFlows(
 Flow[FrameEvent].map(FrameRenderer.render),
-Flow[ByteString].via(newHttp2FrameParsing(shouldReadPreface =true, log)))
+Flow[ByteString].via(newHttp2FrameParsing(shouldReadPreface =true, log))
+ .via(newRSTFrameLimit(http2ServerSettings))
+ )
 
 defframingClient(log: LoggingAdapter):BidiFlow[FrameEvent, ByteString, ByteString, FrameEvent, NotUsed] =
 BidiFlow.fromFlows(

akka-http-core/src/main/scala/akka/http/impl/engine/http2/framing/RSTFrameLimit.scala

@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2023 Lightbend Inc. <https://www.lightbend.com>
+*/
+
+packageakka.http.impl.engine.http2.framing
+
+importakka.annotation.InternalApi
+importakka.http.impl.engine.http2.{FrameEvent, Http2Compliance }
+importakka.http.impl.engine.http2.FrameEvent.RstStreamFrame
+importakka.http.impl.engine.http2.Http2Protocol.ErrorCode
+importakka.http.scaladsl.settings.Http2ServerSettings
+importakka.stream.{Attributes, FlowShape, Inlet, Outlet }
+importakka.stream.stage.{GraphStage, GraphStageLogic, InHandler, OutHandler }
+
+/**
+ * INTERNAL API
+*/
+@InternalApi
+private[akka] finalclassRSTFrameLimit(http2ServerSettings: Http2ServerSettings) extendsGraphStage[FlowShape[FrameEvent, FrameEvent]]{
+
+privatevalmaxResets= http2ServerSettings.maxResets
+privatevalmaxResetsIntervalNanos= http2ServerSettings.maxResetsInterval.toNanos
+
+valin=Inlet[FrameEvent]("in")
+valout=Outlet[FrameEvent]("out")
+valshape=FlowShape(in, out)
+
+overridedefcreateLogic(inheritedAttributes: Attributes):GraphStageLogic=newGraphStageLogic(shape) withInHandlerwithOutHandler{
+privatevarrstSeen=false
+privatevarrstCount=0
+privatevarrstSpanStartNanos=0L
+
+ setHandlers(in, out, this)
+
+overridedefonPush():Unit={
+ grab(in) match{
+caseframe: RstStreamFrame=>
+ rstCount +=1
+valnow=System.nanoTime()
+if (!rstSeen){
+ rstSeen =true
+ rstSpanStartNanos = now
+ push(out, frame)
+ } elseif ((now - rstSpanStartNanos) <= maxResetsIntervalNanos){
+if (rstCount > maxResets){
+ failStage(newHttp2Compliance.Http2ProtocolException(
+ErrorCode.ENHANCE_YOUR_CALM,
+s"Too many RST frames per second for this connection. (Configured limit ${maxResets}/${http2ServerSettings.maxResetsInterval.toCoarsest})"))
+ } else{
+ push(out, frame)
+ }
+ } else{
+// outside time window, reset counter
+ rstCount =1
+ rstSpanStartNanos = now
+ push(out, frame)
+ }
+
+case frame =>
+ push(out, frame)
+ }
+ }
+
+overridedefonPull():Unit= pull(in)
+ }
+}

akka-http-core/src/main/scala/akka/http/javadsl/settings/Http2ServerSettings.scala

@@ -39,6 +39,15 @@ trait Http2ServerSettings{self: scaladsl.settings.Http2ServerSettings with akk
 
 defgetPingTimeout:Duration=Duration.ofMillis(pingTimeout.toMillis)
 defwithPingTimeout(timeout: Duration):Http2ServerSettings= withPingTimeout(timeout.toMillis.millis)
+
+defmaxResets:Int
+
+defwithMaxResets(n: Int):Http2ServerSettings= copy(maxResets = n)
+
+defgetMaxResetsInterval:Duration=Duration.ofMillis(maxResetsInterval.toMillis)
+
+defwithMaxResetsInterval(interval: Duration):Http2ServerSettings= copy(maxResetsInterval = interval.toMillis.millis)
+
 }
 objectHttp2ServerSettingsextendsSettingsCompanion[Http2ServerSettings]{
 defcreate(config: Config):Http2ServerSettings= scaladsl.settings.Http2ServerSettings(config)

akka-http-core/src/main/scala/akka/http/scaladsl/settings/Http2ServerSettings.scala

@@ -88,6 +88,14 @@ trait Http2ServerSettings extends javadsl.settings.Http2ServerSettings with Http
 defpingTimeout:FiniteDuration
 defwithPingTimeout(timeout: FiniteDuration):Http2ServerSettings= copy(pingTimeout = timeout)
 
+defmaxResets:Int
+
+overridedefwithMaxResets(n: Int):Http2ServerSettings= copy(maxResets = n)
+
+defmaxResetsInterval:FiniteDuration
+
+defwithMaxResetsInterval(interval: FiniteDuration):Http2ServerSettings= copy(maxResetsInterval = interval)
+
 @InternalApi
 private[http] definternalSettings:Option[Http2InternalServerSettings]
 @InternalApi
@@ -110,7 +118,10 @@ object Http2ServerSettings extends SettingsCompanion[Http2ServerSettings]{
 logFrames: Boolean,
 pingInterval: FiniteDuration,
 pingTimeout: FiniteDuration,
-internalSettings: Option[Http2InternalServerSettings])
+maxResets: Int,
+maxResetsInterval: FiniteDuration,
+internalSettings: Option[Http2InternalServerSettings]
+ )
 extendsHttp2ServerSettings{
  require(maxConcurrentStreams >=0, "max-concurrent-streams must be >= 0")
  require(requestEntityChunkSize >0, "request-entity-chunk-size must be > 0")
@@ -134,7 +145,9 @@ object Http2ServerSettings extends SettingsCompanion[Http2ServerSettings]{
  logFrames = c.getBoolean("log-frames"),
  pingInterval = c.getFiniteDuration("ping-interval"),
  pingTimeout = c.getFiniteDuration("ping-timeout"),
-None// no possibility to configure internal settings with config
+ maxResets = c.getInt("max-resets"),
+ maxResetsInterval = c.getFiniteDuration("max-resets-interval"),
+ internalSettings =None, // no possibility to configure internal settings with config
  )
  }
 }

akka-http2-support/src/test/scala/akka/http/impl/engine/http2/Http2ServerSpec.scala

@@ -12,6 +12,7 @@ import akka.http.impl.engine.http2.Http2Protocol.ErrorCode
 importakka.http.impl.engine.http2.Http2Protocol.Flags
 importakka.http.impl.engine.http2.Http2Protocol.FrameType
 importakka.http.impl.engine.http2.Http2Protocol.SettingIdentifier
+importakka.http.impl.engine.http2.framing.FrameRenderer
 importakka.http.impl.engine.server.{HttpAttributes, ServerTerminator }
 importakka.http.impl.engine.ws.ByteStringSinkProbe
 importakka.http.impl.util.AkkaSpecWithMaterializer
@@ -22,28 +23,29 @@ import akka.http.scaladsl.model._
 importakka.http.scaladsl.model.headers.CacheDirectives
 importakka.http.scaladsl.model.headers.RawHeader
 importakka.http.scaladsl.settings.ServerSettings
-importakka.stream.Attributes
+importakka.stream.{Attributes, DelayOverflowStrategy, OverflowStrategy }
 importakka.stream.Attributes.LogLevels
-importakka.stream.OverflowStrategy
 importakka.stream.scaladsl.{BidiFlow, Flow, Keep, Sink, Source, SourceQueueWithComplete }
 importakka.stream.testkit.TestPublisher.{ManualProbe, Probe }
 importakka.stream.testkit.scaladsl.StreamTestKit
 importakka.stream.testkit.TestPublisher
 importakka.stream.testkit.TestSubscriber
 importakka.testkit._
-importakka.util.ByteString
+importakka.util.{ByteString, ByteStringBuilder }
 
 importscala.annotation.nowarn
 importjavax.net.ssl.SSLContext
 importorg.scalatest.concurrent.Eventually
 importorg.scalatest.concurrent.PatienceConfiguration.Timeout
 
+importjava.nio.ByteOrder
 importscala.collection.immutable
 importscala.concurrent.duration._
 importscala.concurrent.Await
 importscala.concurrent.ExecutionContext
 importscala.concurrent.Future
 importscala.concurrent.Promise
+importscala.util.Success
 
 /**
  * This tests the http2 server protocol logic.
@@ -1686,6 +1688,31 @@ class Http2ServerSpec extends AkkaSpecWithMaterializer("""
  terminated.futureValue
  }
  }
+
+"not allow high a frequency of resets for one connection" in StreamTestKit.assertAllStagesStopped(newTestSetup{
+
+overridedefsettings:ServerSettings=super.settings.withHttp2Settings(super.settings.http2Settings.withMaxResets(100).withMaxResetsInterval(2.seconds))
+
+// covers CVE-2023-44487 with a rapid sequence of RSTs
+overridedefhandlerFlow:Flow[HttpRequest, HttpResponse, NotUsed] =Flow[HttpRequest].buffer(1000, OverflowStrategy.backpressure).mapAsync(300){req =>
+// never actually reached since rst is in headers
+ req.entity.discardBytes()
+Future.successful(HttpResponse(entity ="Ok").withAttributes(req.attributes))
+ }
+
+ network.toNet.request(100000L)
+valrequest=HttpRequest(protocol =HttpProtocols.`HTTP/2.0`, uri ="/foo")
+valerror= intercept[AssertionError]{
+for (streamId <-1 to 300 by 2){
+ network.sendBytes(
+FrameRenderer.render(HeadersFrame(streamId, true, true, network.encodeRequestHeaders(request), None))
+++FrameRenderer.render(RstStreamFrame(streamId, ErrorCode.CANCEL))
+ )
+ }
+ }
+ error.getMessage should include("Too many RST frames per second for this connection.")
+ network.toNet.cancel()
+ })
  }
 
 implicitclassInWithStoppedStages(name: String){