Harden URI parsing against CRLF injection (#66)

quinnj · web-flow · commit f8c873491f3a · 2025-06-18T10:55:31.000-06:00
* Reject CRLF characters in URIs

* modernize CI
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,58 +1,50 @@
 name: CI
 on:
-  - push
-  - pull_request
-concurrency: 
-  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
-  cancel-in-progress: true
+  push:
+    branches: [main, master]
+    tags: ["*"]
+  pull_request:
 jobs:
   test:
     name: Julia ${{ matrix.version }} - ${{ matrix.os }} - ${{ matrix.arch }} - ${{ github.event_name }}
     runs-on: ${{ matrix.os }}
-    continue-on-error: ${{ matrix.version == 'nightly' }}
     strategy:
       fail-fast: false
       matrix:
         version:
-          - '1.6'
-          - '1'
-          - 'nightly'
+          - '1' # automatically expands to the latest stable 1.x release of Julia
+          - 'min'
+          - 'pre'
         os:
           - ubuntu-latest
-          - macOS-latest
           - windows-latest
         arch:
           - x64
+        include:
+          - os: macOS-latest
+            arch: aarch64
+            version: 1
     steps:
-      - uses: actions/checkout@v2
-      - uses: julia-actions/setup-julia@v1
+      - uses: actions/checkout@v4
+      - uses: julia-actions/setup-julia@v2
         with:
           version: ${{ matrix.version }}
           arch: ${{ matrix.arch }}
-      - uses: actions/cache@v1
-        env:
-          cache-name: cache-artifacts
+      - uses: julia-actions/cache@v2
+      - uses: julia-actions/julia-buildpkg@v1
+      - uses: julia-actions/julia-runtest@v1
+      - uses: julia-actions/julia-processcoverage@v1
+      - uses: codecov/codecov-action@v5
         with:
-          path: ~/.julia/artifacts
-          key: ${{ runner.os }}-test-${{ env.cache-name }}-${{ hashFiles('**/Project.toml') }}
-          restore-keys: |
-            ${{ runner.os }}-test-${{ env.cache-name }}-
-            ${{ runner.os }}-test-
-            ${{ runner.os }}-
-      - uses: julia-actions/julia-buildpkg@latest
-      - uses: julia-actions/julia-runtest@latest
+          files: lcov.info
+          token: ${{ secrets.CODECOV_TOKEN }}
   docs:
     name: Documentation
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - uses: julia-actions/setup-julia@latest
-        with:
-          version: '1'
-      - run: julia --project=docs -e '
-          using Pkg;
-          Pkg.develop(PackageSpec(; path=pwd()));
-          Pkg.instantiate();'
-      - run: julia --project=docs docs/make.jl
+      - uses: actions/checkout@v4
+      - uses: julia-actions/julia-buildpkg@latest
+      - uses: julia-actions/julia-docdeploy@latest
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DOCUMENTER_KEY: ${{ secrets.DOCUMENTER_KEY }}
diff --git a/src/URIs.jl b/src/URIs.jl
@@ -7,6 +7,15 @@ export URI,
 
 import Base.==
 
+# Reject carriage return and line feed characters which can lead to CRLF injection
+const _CTL = Set(['\r', '\n'])
+
+function _reject_ctl(s::AbstractString, field::Symbol)
+    if any(c -> c in _CTL, s)
+        throw(ArgumentError("URI $field contains control characters; see RFC 3986 & RFC 9110"))
+    end
+end
+
 const DEBUG_LEVEL = Ref(0)
 include("debug.jl")
 include("parseutils.jl")
@@ -82,6 +91,17 @@ function URI(uri::URI; scheme::AbstractString=uri.scheme,
     end
     querys = query isa AbstractString ? query : escapeuri(query)
 
+    # reject control characters in all components
+    !isabsent(scheme)    && _reject_ctl(scheme, :scheme)
+    !isabsent(userinfo)  && _reject_ctl(userinfo, :userinfo)
+    !isabsent(host)      && _reject_ctl(host, :host)
+    if port !== absent
+        _reject_ctl(port, :port)
+    end
+    !isabsent(path)      && _reject_ctl(path, :path)
+    !isabsent(querys)    && _reject_ctl(querys, :query)
+    !isabsent(fragment)  && _reject_ctl(fragment, :fragment)
+
     return URI(nostring, scheme, userinfo, host, port, path, querys, fragment)
 end
 
@@ -149,6 +169,12 @@ https://tools.ietf.org/html/rfc3986#section-4.1
 """
 function parse_uri_reference(str::Union{String, SubString{String}};
                              strict = false)
+    try
+        _reject_ctl(str, :uri)
+    catch e
+        e isa ArgumentError && throw(ParseError(e.msg))
+        rethrow()
+    end
     uri_reference_re = task_local_regex()
     if !exec(uri_reference_re, str)
         throw(ParseError("URI contains invalid character"))
diff --git a/test/uri.jl b/test/uri.jl
@@ -533,6 +533,19 @@ urltests = URLTest[
         @test_throws URIs.ParseError URIs.parse_uri("ht!tp://google.com", strict=true)
     end
 
+    @testset "Control Characters" begin
+        bad = [
+            "http://localhost:1337/ HTTP/1.1\r\nFoo: bar\r\nbaz:",
+            "http://example.com/\rpath",
+            "http://example.com/\n"
+        ]
+        for b in bad
+            @test_throws URIs.ParseError parse(URI, b)
+        end
+        @test_throws ArgumentError URI(; scheme="http", host="example.com\n")
+        @test_throws ArgumentError URI(; scheme="http", host="example.com", path="/a\rb")
+    end
+
     @testset "parse(URI, str) - $u" for u in urltests
         if u.isconnect
             if u.shouldthrow
