puma 6.4.3 → 8.0.2

data/lib/puma/client.rb

@@ -1,15 +1,8 @@
 # frozen_string_literal: true
 
-class IO
-  # We need to use this for a jruby work around on both 1.8 and 1.9.
-  # So this either creates the constant (on 1.8), or harmlessly
-  # reopens it (on 1.9).
-  module WaitReadable
-  end
-end
-
 require_relative 'detect'
 require_relative 'io_buffer'
+require_relative 'client_env'
 require 'tempfile'
 
 if Puma::IS_JRUBY
@@ -28,8 +21,8 @@ module Puma
   #———————————————————————— DO NOT USE — this class is for internal use only ———
 
 
-  # An instance of this class represents a unique request from a client.
-  # For example, this could be a web request from a browser or from CURL.
+  # An instance of this class wraps a connection/socket.
+  # For example, this could be an http request from a browser or from CURL.
   #
   # An instance of `Puma::Client` can be used as if it were an IO object
   # by the reactor. The reactor is expected to call `#to_io`
@@ -37,12 +30,18 @@ module Puma
   # `IO::try_convert` (which may call `#to_io`) when a new socket is
   # registered.
   #
-  # Instances of this class are responsible for knowing if
-  # the header and body are fully buffered via the `try_to_finish` method.
+  # Instances of this class are responsible for knowing if the request line,
+  # headers and body are fully buffered and verified via the `try_to_finish` method.
+  # All verification of each request is done in the `Client` object.
   # They can be used to "time out" a response via the `timeout_at` reader.
   #
+  # Most of the code for env processing and verification is contained
+  # in `Puma::ClientEnv`, which is included.
+  #
   class Client # :nodoc:
 
+    include ClientEnv
+
     # this tests all values but the last, which must be chunked
     ALLOWED_TRANSFER_ENCODING = %w[compress deflate gzip].freeze
 
@@ -64,11 +63,22 @@ module Puma
 
     TE_ERR_MSG = 'Invalid Transfer-Encoding'
 
+    # See:
+    # https://httpwg.org/specs/rfc9110.html#rfc.section.5.6.1.1
+    # https://httpwg.org/specs/rfc9112.html#rfc.section.6.1
+    STRIP_OWS = /\A[ \t]+|[ \t]+\z/
+
     # The object used for a request with no body. All requests with
     # no body share this one object since it has no state.
     EmptyBody = NullIO.new
 
-    include Puma::Const
+    attr_reader :env, :to_io, :body, :io, :timeout_at, :ready, :hijacked,
+                :tempfile, :io_buffer, :http_content_length_limit_exceeded,
+                :requests_served, :error_status_code
+
+    attr_writer :peerip, :http_content_length_limit, :supported_http_methods
+
+    attr_accessor :remote_addr_header, :listener, :env_set_http_version
 
     def initialize(io, env=nil)
       @io = io
@@ -94,7 +104,8 @@ module Puma
       @hijacked = false
 
       @http_content_length_limit = nil
-      @http_content_length_limit_exceeded = false
+      @http_content_length_limit_exceeded = nil
+      @error_status_code = nil
 
       @peerip = nil
       @peer_family = nil
@@ -110,13 +121,6 @@ module Puma
       @read_buffer = String.new # rubocop: disable Performance/UnfreezeString
     end
 
-    attr_reader :env, :to_io, :body, :io, :timeout_at, :ready, :hijacked,
-                :tempfile, :io_buffer, :http_content_length_limit_exceeded
-
-    attr_writer :peerip, :http_content_length_limit
-
-    attr_accessor :remote_addr_header, :listener
-
     # Remove in Puma 7?
     def closed?
       @to_io.closed?
@@ -133,9 +137,9 @@ module Puma
       "#<Puma::Client:0x#{object_id.to_s(16)} @ready=#{@ready.inspect}>"
     end
 
-    # For the hijack protocol (allows us to just put the Client object
-    # into the env)
-    def call
+    # For the full hijack protocol, `env['rack.hijack']` is set to
+    # `client.method :full_hijack`
+    def full_hijack
       @hijacked = true
       env[HIJACK_IO] ||= @io
     end
@@ -150,96 +154,104 @@ module Puma
     end
 
     # Number of seconds until the timeout elapses.
+    # @!attribute [r] timeout
     def timeout
       [@timeout_at - Process.clock_gettime(Process::CLOCK_MONOTONIC), 0].max
     end
 
-    def reset(fast_check=true)
+    def reset
       @parser.reset
       @io_buffer.reset
       @read_header = true
-      @read_proxy = !!@expect_proxy_proto
+      @read_proxy = !!@expect_proxy_proto && @requests_served.zero?
       @env = @proto_env.dup
-      @body = nil
-      @tempfile = nil
       @parsed_bytes = 0
       @ready = false
       @body_remain = 0
       @peerip = nil if @remote_addr_header
       @in_last_chunk = false
-      @http_content_length_limit_exceeded = false
+      @http_content_length_limit_exceeded = nil
+      @error_status_code = nil
+    end
 
+    # only used with back-to-back requests contained in the buffer
+    def process_back_to_back_requests
       if @buffer
         return false unless try_to_parse_proxy_protocol
 
-        @parsed_bytes = @parser.execute(@env, @buffer, @parsed_bytes)
-
-        if @parser.finished?
-          return setup_body
-        elsif @parsed_bytes >= MAX_HEADER
-          raise HttpParserError,
-            "HEADER is longer than allowed, aborting client early."
-        end
-
-        return false
-      else
-        begin
-          if fast_check && @to_io.wait_readable(FAST_TRACK_KA_TIMEOUT)
-            return try_to_finish
-          end
-        rescue IOError
-          # swallow it
-        end
+        @parsed_bytes = parser_execute
 
+        @parser.finished? ? process_env_body : false
       end
     end
 
+    # if a client sends back-to-back requests, the buffer may contain one or more
+    # of them.
+    def has_back_to_back_requests?
+      !(@buffer.nil? || @buffer.empty?)
+    end
+
     def close
+      tempfile_close
       begin
         @io.close
       rescue IOError, Errno::EBADF
-        Puma::Util.purge_interrupt_queue
       end
     end
 
+    def tempfile_close
+      tf_path = @tempfile&.path
+      @tempfile&.close
+      File.unlink(tf_path) if tf_path
+      @tempfile = nil
+      @body = nil
+    rescue Errno::ENOENT, IOError
+    end
+
     # If necessary, read the PROXY protocol from the buffer. Returns
     # false if more data is needed.
     def try_to_parse_proxy_protocol
       if @read_proxy
         if @expect_proxy_proto == :v1
-          if @buffer.include? "\r\n"
-            if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
-              if md[1]
-                @peerip = md[1].split(" ")[0]
+          crlf_index = @buffer.index "\r\n"
+
+          unless crlf_index
+            if "PROXY ".start_with? @buffer
+              return false
+            elsif @buffer.start_with? "PROXY "
+              if @buffer.bytesize >= PROXY_PROTOCOL_V1_MAX_LENGTH
+                raise ConnectionError, "PROXY protocol v1 line is too long"
               end
-              @buffer = md.post_match
+              return false
             end
-            # if the buffer has a \r\n but doesn't have a PROXY protocol
-            # request, this is just HTTP from a non-PROXY client; move on
+
             @read_proxy = false
-            return @buffer.size > 0
-          else
-            return false
+            return true
+          end
+
+          if @buffer.start_with?("PROXY ") && crlf_index + 2 > PROXY_PROTOCOL_V1_MAX_LENGTH
+            raise ConnectionError, "PROXY protocol v1 line is too long"
           end
+
+          if md = PROXY_PROTOCOL_V1_REGEX.match(@buffer)
+            if md[1]
+              @peerip = md[1].split(" ")[0]
+            end
+            @buffer = md.post_match
+          end
+          # if the buffer has a \r\n but doesn't have a PROXY protocol
+          # request, this is just HTTP from a non-PROXY client; move on
+          @read_proxy = false
+          return @buffer.size > 0
         end
       end
       true
     end
 
     def try_to_finish
-      if env[CONTENT_LENGTH] && above_http_content_limit(env[CONTENT_LENGTH].to_i)
-        @http_content_length_limit_exceeded = true
-      end
-
-      if @http_content_length_limit_exceeded
-        @buffer = nil
-        @body = EmptyBody
-        set_ready
-        return true
-      end
-
       return read_body if in_data_phase
 
+      data = nil
       begin
         data = @io.read_nonblock(CHUNK_SIZE)
       rescue IO::WaitReadable
@@ -265,26 +277,17 @@ module Puma
 
       return false unless try_to_parse_proxy_protocol
 
-      @parsed_bytes = @parser.execute(@env, @buffer, @parsed_bytes)
-
-      if @parser.finished? && above_http_content_limit(@parser.body.bytesize)
-        @http_content_length_limit_exceeded = true
-      end
-
-      if @parser.finished?
-        return setup_body
-      elsif @parsed_bytes >= MAX_HEADER
-        raise HttpParserError,
-          "HEADER is longer than allowed, aborting client early."
-      end
+      @parsed_bytes = parser_execute
 
-      false
+      @parser.finished? ? process_env_body : false
     end
 
     def eagerly_finish
       return true if @ready
-      return false unless @to_io.wait_readable(0)
-      try_to_finish
+      while @to_io.wait_readable(0) # rubocop: disable Style/WhileUntilModifier
+        return true if try_to_finish
+      end
+      false
     end
 
     def finish(timeout)
@@ -292,6 +295,58 @@ module Puma
       @to_io.wait_readable(timeout) || timeout! until try_to_finish
     end
 
+    # Wraps `@parser.execute` and adds meaningful error messages
+    # @return [Integer] bytes of buffer read by parser
+    #
+    def parser_execute
+      ret = @parser.execute(@env, @buffer, @parsed_bytes)
+
+      if @env[REQUEST_METHOD] && @supported_http_methods != :any && !@supported_http_methods.key?(@env[REQUEST_METHOD])
+        raise HttpParserError501, "#{@env[REQUEST_METHOD]} method is not supported"
+      end
+      ret
+    rescue => e
+      @env[HTTP_CONNECTION] = 'close'
+      raise e unless HttpParserError === e && e.message.include?('non-SSL')
+
+      req, _ = @buffer.split "\r\n\r\n"
+      request_line, headers = req.split "\r\n", 2
+
+      # below checks for request issues and changes error message accordingly
+      if !@env.key? REQUEST_METHOD
+        if request_line.count(' ') != 2
+           # maybe this is an SSL connection ?
+          raise e
+        else
+          method = request_line[/\A[^ ]+/]
+          raise e, "Invalid HTTP format, parsing fails. Bad method #{method}"
+        end
+      elsif !@env.key? REQUEST_PATH
+        path = request_line[/\A[^ ]+ +([^ ?\r\n]+)/, 1]
+        raise e, "Invalid HTTP format, parsing fails. Bad path #{path}"
+      elsif request_line.match?(/\A[^ ]+ +[^ ?\r\n]+\?/) && !@env.key?(QUERY_STRING)
+        query = request_line[/\A[^ ]+ +[^? ]+\?([^ ]+)/, 1]
+        raise e, "Invalid HTTP format, parsing fails. Bad query #{query}"
+      elsif !@env.key? SERVER_PROTOCOL
+        # protocol is bad
+        text = request_line[/[^ ]*\z/]
+        raise HttpParserError, "Invalid HTTP format, parsing fails. Bad protocol #{text}"
+      elsif !headers.empty?
+        # headers are bad
+        hdrs = headers.split("\r\n").map { |h| h.gsub "\n", '\n'}.join "\n"
+        raise HttpParserError, "Invalid HTTP format, parsing fails. Bad headers\n#{hdrs}"
+      end
+    end
+
+    # processes the `env` and the request body
+    def process_env_body
+      temp = setup_body
+      normalize_env
+      req_env_post_parse
+      raise HttpParserError if @error_status_code
+      temp
+    end
+
     def timeout!
       write_error(408) if in_data_phase
       raise ConnectionError
@@ -308,12 +363,12 @@ module Puma
       return @peerip if @peerip
 
       if @remote_addr_header
-        hdr = (@env[@remote_addr_header] || @io.peeraddr.last).split(/[\s,]/).first
+        hdr = (@env[@remote_addr_header] || socket_peerip).split(/[\s,]/).first
         @peerip = hdr
         return hdr
       end
 
-      @peerip ||= @io.peeraddr.last
+      @peerip ||= socket_peerip
     end
 
     def peer_family
@@ -348,38 +403,56 @@ module Puma
 
     private
 
+    IPV4_MAPPED_IPV6_PREFIX = "::ffff:"
+    private_constant :IPV4_MAPPED_IPV6_PREFIX
+
+    def socket_peerip
+      unmap_ipv6(@io.peeraddr.last)
+    end
+
+    # Converts IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1) back to
+    # their IPv4 form. These addresses appear when IPv4 clients connect to
+    # a dual-stack IPv6 socket.
+    def unmap_ipv6(addr)
+      addr.delete_prefix(IPV4_MAPPED_IPV6_PREFIX)
+    end
+
+    # Checks the request `Transfer-Encoding` and/or `Content-Length` to see if
+    # they are valid.  Raises errors if not, otherwise reads the body.
+    # @return [Boolean] true if the body can be completely read, false otherwise
+    #
     def setup_body
       @body_read_start = Process.clock_gettime(Process::CLOCK_MONOTONIC, :float_millisecond)
 
       if @env[HTTP_EXPECT] == CONTINUE
-        # TODO allow a hook here to check the headers before
-        # going forward
+        # TODO allow a hook here to check the headers before going forward
         @io << HTTP_11_100
         @io.flush
       end
 
       @read_header = false
 
-      body = @parser.body
+      parser_body = @parser.body
 
       te = @env[TRANSFER_ENCODING2]
       if te
         te_lwr = te.downcase
         if te.include? ','
-          te_ary = te_lwr.split ','
+          te_ary = te_lwr.split(',').each { |te| te.gsub!(STRIP_OWS, "") }
           te_count = te_ary.count CHUNKED
           te_valid = te_ary[0..-2].all? { |e| ALLOWED_TRANSFER_ENCODING.include? e }
-          if te_ary.last == CHUNKED && te_count == 1 && te_valid
-            @env.delete TRANSFER_ENCODING2
-            return setup_chunked_body body
-          elsif te_count >= 1
+          if te_count > 1
             raise HttpParserError   , "#{TE_ERR_MSG}, multiple chunked: '#{te}'"
+          elsif te_ary.last != CHUNKED
+            raise HttpParserError   , "#{TE_ERR_MSG}, last value must be chunked: '#{te}'"
           elsif !te_valid
             raise HttpParserError501, "#{TE_ERR_MSG}, unknown value: '#{te}'"
           end
+          @env.delete TRANSFER_ENCODING2
+          return setup_chunked_body parser_body
         elsif te_lwr == CHUNKED
           @env.delete TRANSFER_ENCODING2
-          return setup_chunked_body body
+          return setup_chunked_body parser_body
         elsif ALLOWED_TRANSFER_ENCODING.include? te_lwr
           raise HttpParserError     , "#{TE_ERR_MSG}, single value must be chunked: '#{te}'"
         else
@@ -394,36 +467,55 @@ module Puma
       if cl
         # cannot contain characters that are not \d, or be empty
         if CONTENT_LENGTH_VALUE_INVALID.match?(cl) || cl.empty?
+          @error_status_code = 400
+          @env[HTTP_CONNECTION] = 'close'
           raise HttpParserError, "Invalid Content-Length: #{cl.inspect}"
         end
       else
-        @buffer = body.empty? ? nil : body
+        @buffer = parser_body.empty? ? nil : parser_body
         @body = EmptyBody
         set_ready
         return true
       end
 
-      remain = cl.to_i - body.bytesize
+      content_length = cl.to_i
+
+      raise_above_http_content_limit if @http_content_length_limit&.< content_length
+
+      remain = content_length - parser_body.bytesize
 
       if remain <= 0
-        @body = StringIO.new(body)
-        @buffer = nil
+        # Part of the parser_body is a pipelined request OR garbage. We'll deal with that later.
+        if content_length == 0
+          @body = EmptyBody
+          if parser_body.empty?
+            @buffer = nil
+          else
+            @buffer = parser_body
+          end
+        elsif remain == 0
+          @body = StringIO.new parser_body
+          @buffer = nil
+        else
+          @body = StringIO.new(parser_body[0,content_length])
+          @buffer = parser_body[content_length..-1]
+        end
         set_ready
         return true
       end
 
       if remain > MAX_BODY
-        @body = Tempfile.new(Const::PUMA_TMP_BASE)
-        @body.unlink
+        @body = Tempfile.create(Const::PUMA_TMP_BASE)
+        File.unlink @body.path unless IS_WINDOWS
         @body.binmode
         @tempfile = @body
       else
-        # The body[0,0] trick is to get an empty string in the same
-        # encoding as body.
-        @body = StringIO.new body[0,0]
+        # The parser_body[0,0] trick is to get an empty string in the same
+        # encoding as parser_body.
+        @body = StringIO.new parser_body[0,0]
       end
 
-      @body.write body
+      @body.write parser_body
 
       @body_remain = remain
 
@@ -439,46 +531,42 @@ module Puma
       # after this
       remain = @body_remain
 
-      if remain > CHUNK_SIZE
-        want = CHUNK_SIZE
-      else
-        want = remain
-      end
+      # don't bother with reading zero bytes
+      unless remain.zero?
+        begin
+          chunk = @io.read_nonblock(remain.clamp(0, CHUNK_SIZE), @read_buffer)
+        rescue IO::WaitReadable
+          return false
+        rescue SystemCallError, IOError
+          raise ConnectionError, "Connection error detected during read"
+        end
 
-      begin
-        chunk = @io.read_nonblock(want, @read_buffer)
-      rescue IO::WaitReadable
-        return false
-      rescue SystemCallError, IOError
-        raise ConnectionError, "Connection error detected during read"
-      end
+        # No chunk means a closed socket
+        unless chunk
+          @body.close
+          @buffer = nil
+          set_ready
+          raise EOFError
+        end
 
-      # No chunk means a closed socket
-      unless chunk
-        @body.close
-        @buffer = nil
-        set_ready
-        raise EOFError
+        remain -= @body.write(chunk)
       end
 
-      remain -= @body.write(chunk)
-
       if remain <= 0
         @body.rewind
         @buffer = nil
         set_ready
-        return true
+        true
+      else
+        @body_remain = remain
+        false
       end
-
-      @body_remain = remain
-
-      false
     end
 
     def read_chunked_body
       while true
         begin
-          chunk = @io.read_nonblock(4096, @read_buffer)
+          chunk = @io.read_nonblock(CHUNK_SIZE, @read_buffer)
         rescue IO::WaitReadable
           return false
         rescue SystemCallError, IOError
@@ -506,8 +594,8 @@ module Puma
       @prev_chunk = ""
       @excess_cr = 0
 
-      @body = Tempfile.new(Const::PUMA_TMP_BASE)
-      @body.unlink
+      @body = Tempfile.create(Const::PUMA_TMP_BASE)
+      File.unlink @body.path unless IS_WINDOWS
       @body.binmode
       @tempfile = @body
       @chunked_content_length = 0
@@ -520,6 +608,10 @@ module Puma
 
     # @version 5.0.0
     def write_chunk(str)
+      if @http_content_length_limit&.< @chunked_content_length + str.bytesize
+        raise_above_http_content_limit
+      end
+
       @chunked_content_length += @body.write(str)
     end
 
@@ -627,7 +719,7 @@ module Puma
             @partial_part_left = len - part.size
           end
         else
-          if @prev_chunk.size + chunk.size >= MAX_CHUNK_HEADER_SIZE
+          if @prev_chunk.size + line.size >= MAX_CHUNK_HEADER_SIZE
             raise HttpParserError, "maximum size of chunk header exceeded"
           end
 
@@ -652,8 +744,13 @@ module Puma
       @ready = true
     end
 
-    def above_http_content_limit(value)
-      @http_content_length_limit&.< value
+    def raise_above_http_content_limit
+      @http_content_length_limit_exceeded = true
+      @buffer = nil
+      @body = EmptyBody
+      @error_status_code = 413
+      @env[HTTP_CONNECTION] = 'close'
+      raise HttpParserError, "Payload Too Large"
     end
   end
 end