Merge pull request #32764 from isaacrivriv/update-netty-4.1.126.final

isaacrivriv · web-flow · commit a21c76c82ec4 · 2025-09-09T12:40:12.000-04:00
Updated Netty library to version 4.1.126.Final
diff --git a/dev/cnf/dependabot/check_this_in_if_it_changes/pom.xml b/dev/cnf/dependabot/check_this_in_if_it_changes/pom.xml
@@ -564,57 +564,57 @@
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-buffer</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-http2</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-http</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-socks</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-common</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-handler-proxy</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-handler</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-resolver</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-transport-native-unix-common</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-transport</artifactId>
-      <version>4.1.124.Final</version>
+      <version>4.1.126.Final</version>
     </dependency>
     <dependency>
       <groupId>io.openliberty.arquillian</groupId>
diff --git a/dev/cnf/oss_dependencies.maven b/dev/cnf/oss_dependencies.maven
@@ -108,17 +108,17 @@ io.jaegertracing:jaeger-tracerresolver:0.34.0
 io.jaegertracing:jaeger-tracerresolver:1.6.0
 io.micrometer:micrometer-core:1.9.3
 io.micrometer:micrometer-registry-prometheus:1.9.3
-io.netty:netty-buffer:4.1.124.Final
-io.netty:netty-codec-http2:4.1.124.Final
-io.netty:netty-codec-http:4.1.124.Final
-io.netty:netty-codec-socks:4.1.124.Final
-io.netty:netty-codec:4.1.124.Final
-io.netty:netty-common:4.1.124.Final
-io.netty:netty-handler-proxy:4.1.124.Final
-io.netty:netty-handler:4.1.124.Final
-io.netty:netty-resolver:4.1.124.Final
-io.netty:netty-transport-native-unix-common:4.1.124.Final
-io.netty:netty-transport:4.1.124.Final
+io.netty:netty-buffer:4.1.126.Final
+io.netty:netty-codec-http2:4.1.126.Final
+io.netty:netty-codec-http:4.1.126.Final
+io.netty:netty-codec-socks:4.1.126.Final
+io.netty:netty-codec:4.1.126.Final
+io.netty:netty-common:4.1.126.Final
+io.netty:netty-handler-proxy:4.1.126.Final
+io.netty:netty-handler:4.1.126.Final
+io.netty:netty-resolver:4.1.126.Final
+io.netty:netty-transport-native-unix-common:4.1.126.Final
+io.netty:netty-transport:4.1.126.Final
 io.openliberty.arquillian:arquillian-liberty-support-jakarta:2.1.1
 io.openliberty.arquillian:arquillian-liberty-support:1.0.8
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations-support:1.19.0-alpha
diff --git a/dev/com.ibm.ws.grpc_fat/bnd.bnd b/dev/com.ibm.ws.grpc_fat/bnd.bnd
@@ -11,7 +11,7 @@
 bVersion=1.0
 
 grpcVersion=1.69.0
-nettyVersion=4.1.124.Final
+nettyVersion=4.1.126.Final
 
 
 src: \
diff --git a/dev/io.openliberty.io.netty.ssl/bnd.bnd b/dev/io.openliberty.io.netty.ssl/bnd.bnd
@@ -13,7 +13,7 @@
 
 -include= ~../cnf/resources/bnd/bundle.props
 bVersion=1.0
-nettyVersion=4.1.124.Final
+nettyVersion=4.1.126.Final
 
 Bundle-Name: Netty SSL classes as an OSGi bundle
 Bundle-SymbolicName: io.openliberty.io.netty.ssl
diff --git a/dev/io.openliberty.io.netty/bnd.bnd b/dev/io.openliberty.io.netty/bnd.bnd
@@ -10,7 +10,7 @@
 
 -include= ~../cnf/resources/bnd/bundle.props
 bVersion=1.0
-nettyVersion=4.1.124.Final
+nettyVersion=4.1.126.Final
 
 Bundle-Name: Netty as an OSGi bundle
 Bundle-SymbolicName: io.openliberty.io.netty
diff --git a/dev/io.openliberty.io.netty/src/io/netty/handler/codec/http/HttpDecoderConfig.java b/dev/io.openliberty.io.netty/src/io/netty/handler/codec/http/HttpDecoderConfig.java
@@ -34,6 +34,7 @@ public final class HttpDecoderConfig implements Cloneable {
     private int maxInitialLineLength = HttpObjectDecoder.DEFAULT_MAX_INITIAL_LINE_LENGTH;
     private int maxHeaderSize = HttpObjectDecoder.DEFAULT_MAX_HEADER_SIZE;
     private int initialBufferSize = HttpObjectDecoder.DEFAULT_INITIAL_BUFFER_SIZE;
+    private boolean strictLineParsing = HttpObjectDecoder.DEFAULT_STRICT_LINE_PARSING;
     
     // Liberty Http Options
     private int limitFieldSize = 32768;
@@ -268,6 +269,34 @@ public HttpDecoderConfig setTrailersFactory(HttpHeadersFactory trailersFactory)
         return this;
     }
 
+    public boolean isStrictLineParsing() {
+        return strictLineParsing;
+    }
+    /**
+     * The RFC 9112 specification for the HTTP protocol says that the initial start-line, and the following header
+     * field-lines, must be separated by a Carriage Return (CR) and Line Feed (LF) octet pair, but also offers that
+     * implementations "MAY" accept just a Line Feed octet as a separator.
+     * <p>
+     * Parsing leniencies can increase compatibility with a wider range of implementations, but can also cause
+     * security vulnerabilities, when multiple systems disagree on the meaning of leniently parsed messages.
+     * <p>
+     * When <em>strict line parsing</em> is enabled ({@code true}), then Netty will enforce that start- and header
+     * field-lines MUST be separated by a CR LF octet pair, and will produce messagas with failed
+     * {@link io.netty.handler.codec.DecoderResult}s.
+     * <p>
+     * When <em>strict line parsing</em> is disabled ({@code false}), then Netty will accept lone LF octets as line
+     * seperators for the start- and header field-lines.
+     * <p>
+     * See <a href="https://datatracker.ietf.org/doc/html/rfc9112#name-message-format">RFC 9112 Section 2.1</a>.
+     * @param strictLineParsing Whether <em>strict line parsing</em> should be enabled ({@code true}),
+     * or not ({@code false}).
+     * @return This decoder config.
+     */
+    public HttpDecoderConfig setStrictLineParsing(boolean strictLineParsing) {
+        this.strictLineParsing = strictLineParsing;
+        return this;
+    }
+
     @Override
     public HttpDecoderConfig clone() {
         try {
diff --git a/dev/io.openliberty.io.netty/src/io/netty/handler/codec/http/HttpObjectDecoder.java b/dev/io.openliberty.io.netty/src/io/netty/handler/codec/http/HttpObjectDecoder.java
@@ -26,6 +26,7 @@
 import io.netty.util.AsciiString;
 import io.netty.util.ByteProcessor;
 import io.netty.util.internal.StringUtil;
+import io.netty.util.internal.SystemPropertyUtil;
 
 import java.util.List;
 import java.util.concurrent.atomic.AtomicBoolean;
@@ -151,6 +152,23 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
     public static final boolean DEFAULT_VALIDATE_HEADERS = true;
     public static final int DEFAULT_INITIAL_BUFFER_SIZE = 128;
     public static final boolean DEFAULT_ALLOW_DUPLICATE_CONTENT_LENGTHS = false;
+    public static final boolean DEFAULT_STRICT_LINE_PARSING =
+            SystemPropertyUtil.getBoolean("io.netty.handler.codec.http.defaultStrictLineParsing", true);
+
+    private static final Runnable THROW_INVALID_CHUNK_EXTENSION = new Runnable() {
+        @Override
+        public void run() {
+            throw new InvalidChunkExtensionException();
+        }
+    };
+
+    private static final Runnable THROW_INVALID_LINE_SEPARATOR = new Runnable() {
+        @Override
+        public void run() {
+            throw new InvalidLineSeparatorException();
+        }
+    };
+
     private final int maxChunkSize;
     private final boolean chunkedSupported;
     private final boolean allowPartialChunks;
@@ -163,6 +181,7 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
     protected final HttpHeadersFactory trailersFactory;
     private final boolean allowDuplicateContentLengths;
     private final ByteBuf parserScratchBuffer;
+    private final Runnable defaultStrictCRLFCheck;
     private final HeaderParser headerParser;
     private final LineParser lineParser;
 
@@ -171,7 +190,7 @@ public abstract class HttpObjectDecoder extends ByteToMessageDecoder {
     private long contentLength = Long.MIN_VALUE;
     private boolean chunked;
     private boolean isSwitchingToNonHttp1Protocol;
-    
+
     // Liberty specific configurations
     private int limitFieldSize;
     private int limitNumHeaders;
@@ -320,6 +339,7 @@ protected HttpObjectDecoder(HttpDecoderConfig config) {
         checkNotNull(config, "config");
 
         parserScratchBuffer = Unpooled.buffer(config.getInitialBufferSize());
+        defaultStrictCRLFCheck = config.isStrictLineParsing() ? THROW_INVALID_LINE_SEPARATOR : null;
         shouldDoLibertyCheck = config.isLibertyHttpHeaderOptionsSet();
         lineParser = new LineParser(parserScratchBuffer, config.getMaxInitialLineLength());
         headerParser = new HeaderParser(parserScratchBuffer, shouldDoLibertyCheck ? -1 : config.getMaxHeaderSize());
@@ -347,12 +367,12 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> ou
         if (resetRequested.get()) {
             resetNow();
         }
-        
+
         switch (currentState) {
         case SKIP_CONTROL_CHARS:
             // Fall-through
         case READ_INITIAL: try {
-            ByteBuf line = lineParser.parse(buffer);
+            ByteBuf line = lineParser.parse(buffer, defaultStrictCRLFCheck);
             if (line == null) {
                 return;
             }
@@ -461,7 +481,7 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> ou
          * read chunk, read and ignore the CRLF and repeat until 0
          */
         case READ_CHUNK_SIZE: try {
-            ByteBuf line = lineParser.parse(buffer);
+            ByteBuf line = lineParser.parse(buffer, THROW_INVALID_CHUNK_EXTENSION);
             if (line == null) {
                 return;
             }
@@ -499,16 +519,16 @@ protected void decode(ChannelHandlerContext ctx, ByteBuf buffer, List<Object> ou
             // fall-through
         }
         case READ_CHUNK_DELIMITER: {
-            final int wIdx = buffer.writerIndex();
-            int rIdx = buffer.readerIndex();
-            while (wIdx > rIdx) {
-                byte next = buffer.getByte(rIdx++);
-                if (next == HttpConstants.LF) {
+            if (buffer.readableBytes() >= 2) {
+                int rIdx = buffer.readerIndex();
+                if (buffer.getByte(rIdx) == HttpConstants.CR &&
+                        buffer.getByte(rIdx + 1) == HttpConstants.LF) {
+                    buffer.skipBytes(2);
                     currentState = State.READ_CHUNK_SIZE;
-                    break;
+                } else {
+                    out.add(invalidChunk(buffer, new InvalidChunkTerminationException()));
                 }
             }
-            buffer.readerIndex(rIdx);
             return;
         }
         case READ_CHUNK_FOOTER: try {
@@ -731,7 +751,7 @@ private State readHeaders(ByteBuf buffer) {
 
         final HeaderParser headerParser = this.headerParser;
 
-        ByteBuf line = headerParser.parse(buffer);
+        ByteBuf line = headerParser.parse(buffer, defaultStrictCRLFCheck);
         if (line == null) {
             return null;
         }
@@ -759,7 +779,7 @@ private State readHeaders(ByteBuf buffer) {
                 splitHeader(lineContent, startLine, lineLength);
             }
 
-            line = headerParser.parse(buffer);
+            line = headerParser.parse(buffer, defaultStrictCRLFCheck);
             if (line == null) {
                 return null;
             }
@@ -855,7 +875,7 @@ protected void handleTransferEncodingChunkedWithContentLength(HttpMessage messag
 
     private LastHttpContent readTrailingHeaders(ByteBuf buffer) {
         final HeaderParser headerParser = this.headerParser;
-        ByteBuf line = headerParser.parse(buffer);
+        ByteBuf line = headerParser.parse(buffer, defaultStrictCRLFCheck);
         if (line == null) {
             return null;
         }
@@ -898,7 +918,7 @@ private LastHttpContent readTrailingHeaders(ByteBuf buffer) {
                 name = null;
                 value = null;
             }
-            line = headerParser.parse(buffer);
+            line = headerParser.parse(buffer, defaultStrictCRLFCheck);
             if (line == null) {
                 return null;
             }
@@ -1167,7 +1187,7 @@ private static class HeaderParser {
             this.maxLength = maxLength;
         }
 
-        public ByteBuf parse(ByteBuf buffer) {
+        public ByteBuf parse(ByteBuf buffer, Runnable strictCRLFCheck) {
             final int readableBytes = buffer.readableBytes();
             final int readerIndex = buffer.readerIndex();
             long maxAllowedBody = 0;
@@ -1199,6 +1219,9 @@ public ByteBuf parse(ByteBuf buffer) {
                 // Drop CR if we had a CRLF pair
                 endOfSeqIncluded = indexOfLf - 1;
             } else {
+                if (strictCRLFCheck != null) {
+                    strictCRLFCheck.run();
+                }
                 endOfSeqIncluded = indexOfLf;
             }
             final int newSize = endOfSeqIncluded - readerIndex;
@@ -1234,18 +1257,18 @@ private final class LineParser extends HeaderParser {
         }
 
         @Override
-        public ByteBuf parse(ByteBuf buffer) {
+        public ByteBuf parse(ByteBuf buffer, Runnable strictCRLFCheck) {
             // Suppress a warning because HeaderParser.reset() is supposed to be called
             reset();
             final int readableBytes = buffer.readableBytes();
             if (readableBytes == 0) {
                 return null;
             }
-            final int readerIndex = buffer.readerIndex();
-            if (currentState == State.SKIP_CONTROL_CHARS && skipControlChars(buffer, readableBytes, readerIndex)) {
+            if (currentState == State.SKIP_CONTROL_CHARS &&
+                    skipControlChars(buffer, readableBytes, buffer.readerIndex())) {
                 return null;
             }
-            return super.parse(buffer);
+            return super.parse(buffer, strictCRLFCheck);
         }
 
         private boolean skipControlChars(ByteBuf buffer, int readableBytes, int readerIndex) {
diff --git a/dev/io.openliberty.io.netty/src/io/netty/handler/codec/http2/HttpToHttp2ConnectionHandlerBuilder.java b/dev/io.openliberty.io.netty/src/io/netty/handler/codec/http2/HttpToHttp2ConnectionHandlerBuilder.java
