Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTML comment is injected outside the compressed data #18

Open
pnickerson-cashstar opened this issue Dec 19, 2023 · 1 comment
Open

HTML comment is injected outside the compressed data #18

pnickerson-cashstar opened this issue Dec 19, 2023 · 1 comment

Comments

@pnickerson-cashstar
Copy link

I am compiling this as a static module in NGINX 1.24.0 on Ubuntu 20.04. When the module is enabled, curl shows that the random-length HTML comment is showing up successfully.

However, a deeper dive shows that the response body is malformed GZIP data. The file format seems OK, until near the end when the random-length HTML comment shows up as plain text, not compressed. I don't think this is a security risk, since it's still inside the TLS encryption, but this malformed GZIP response has caused a monitoring issue.

A New Relic synthetic monitor, of the simple browser type, with verify SSL enabled, will error out with the errors "incorrect header check" and "Z_DATA_ERROR". It looks like New Relic is using Javascript and zlib, which errors out when given this malformed compressed response.

To see the malformed compressed response, try this:

curl --header "Accept-Encoding: gzip" --output compressed-response-body.gz --verbose https://example.com/

file compressed-response-body.gz

compressed-response-body.gz: gzip compressed data, from Unix, original size modulo 2^32 1043148064 gzip compressed data, unknown method, has CRC, extra field, has comment, encrypted, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1043148064

The "extra field" might be that uncompressed plain text that's tacked on to the end of the file.

Here's the response body in a hex viewer. You'll see the plain text random-length HTML comment there.

xxd compressed-response-body.gz

00000000: 1f8b 0800 0000 0000 0003 ecfd fb76 1349  .............v.I
...
00018dd0: 76bf 09d0 e399 7880 c1ff 9749 62c2 1839  v.....x....Ib..9
00018de0: 0f83 38f9 ffcf cac8 d0ca c410 3300 78b9  ..8.........3.x.
00018df0: 7475 ed00 4a9a 877a 2c99 0600 3c21 2d2d  tu..J..z,...<!--
00018e00: 2072 616e 646f 6d2d 6c65 6e67 7468 2048   random-length H
00018e10: 544d 4c20 636f 6d6d 656e 743a 2069 6676  TML comment: ifv
00018e20: 4b67 4b78 7864 7437 4d4c 4853 736c 6472  KgKxxdt7MLHSsldr

gunzip compressed-response-body.gz

gzip: compressed-response-body.gz: decompression OK, trailing garbage ignored

I think that the trailing garbage is what's causing my monitoring to fail.

cat compressed-response-body

You'll see that the random-length HTML comment does not show up at all. That's because gunzip considered it to be trailing garbage and so ignored it.
@safx
Copy link
Member

safx commented Dec 20, 2023

Thank you for your report!

Unfortunately we could not reproduce the issue. Could you please check your app and Nginx configuration? Perhaps you are enabling gzip in your app and not in Nginx.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@safx @pnickerson-cashstar