|
|
|
|
@ -266,37 +266,37 @@ class RequestValidationMiddleware(BaseHTTPMiddleware):
|
|
|
|
|
return await handle_exception(request, exc)
|
|
|
|
|
|
|
|
|
|
async def _validate_and_forward(self, request: Request, call_next):
|
|
|
|
|
# -------------------------
|
|
|
|
|
# 0. Header validation
|
|
|
|
|
# -------------------------
|
|
|
|
|
header_keys = [key.lower() for key, _ in request.headers.items()]
|
|
|
|
|
# # -------------------------
|
|
|
|
|
# # 0. Header validation
|
|
|
|
|
# # -------------------------
|
|
|
|
|
# header_keys = [key.lower() for key, _ in request.headers.items()]
|
|
|
|
|
|
|
|
|
|
# Check for duplicate headers
|
|
|
|
|
header_counter = Counter(header_keys)
|
|
|
|
|
duplicate_headers = [key for key, count in header_counter.items() if count > 1]
|
|
|
|
|
# # Check for duplicate headers
|
|
|
|
|
# header_counter = Counter(header_keys)
|
|
|
|
|
# duplicate_headers = [key for key, count in header_counter.items() if count > 1]
|
|
|
|
|
|
|
|
|
|
ALLOW_DUPLICATE_HEADERS = {'accept', 'accept-encoding', 'accept-language', 'accept-charset', 'cookie'}
|
|
|
|
|
real_duplicates = [h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS]
|
|
|
|
|
if real_duplicates:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=422,
|
|
|
|
|
detail=f"Duplicate headers detected: {real_duplicates}",
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# Whitelist headers
|
|
|
|
|
unknown_headers = [key for key in header_keys if key not in ALLOWED_HEADERS]
|
|
|
|
|
if unknown_headers:
|
|
|
|
|
filtered_unknown = [h for h in unknown_headers if not h.startswith('sec-')]
|
|
|
|
|
if filtered_unknown:
|
|
|
|
|
raise HTTPException(
|
|
|
|
|
status_code=422,
|
|
|
|
|
detail=f"Unknown headers detected: {filtered_unknown}",
|
|
|
|
|
)
|
|
|
|
|
# ALLOW_DUPLICATE_HEADERS = {'accept', 'accept-encoding', 'accept-language', 'accept-charset', 'cookie'}
|
|
|
|
|
# real_duplicates = [h for h in duplicate_headers if h not in ALLOW_DUPLICATE_HEADERS]
|
|
|
|
|
# if real_duplicates:
|
|
|
|
|
# raise HTTPException(
|
|
|
|
|
# status_code=422,
|
|
|
|
|
# detail=f"Duplicate headers detected: {real_duplicates}",
|
|
|
|
|
# )
|
|
|
|
|
|
|
|
|
|
# # Whitelist headers
|
|
|
|
|
# unknown_headers = [key for key in header_keys if key not in ALLOWED_HEADERS]
|
|
|
|
|
# if unknown_headers:
|
|
|
|
|
# filtered_unknown = [h for h in unknown_headers if not h.startswith('sec-')]
|
|
|
|
|
# if filtered_unknown:
|
|
|
|
|
# raise HTTPException(
|
|
|
|
|
# status_code=422,
|
|
|
|
|
# detail=f"Unknown headers detected: {filtered_unknown}",
|
|
|
|
|
# )
|
|
|
|
|
|
|
|
|
|
# Inspect header values
|
|
|
|
|
for key, value in request.headers.items():
|
|
|
|
|
if value:
|
|
|
|
|
inspect_value(value, f"header '{key}'")
|
|
|
|
|
# # Inspect header values
|
|
|
|
|
# for key, value in request.headers.items():
|
|
|
|
|
# if value:
|
|
|
|
|
# inspect_value(value, f"header '{key}'")
|
|
|
|
|
|
|
|
|
|
# -------------------------
|
|
|
|
|
# 1. Query string limits
|
|
|
|
|
|