Fix infinite loop when parsing invalid DAP message.

This commit updates `ContentReader::read` to optionally close the underlying `Reader` when a message is read that does not terminate the DAP header immediately following the `Content-Length` header field. This fixes an infinite loop when parsing an invalid DAP message. In particular, the infinite loop occurs when a cross-site HTTP request from a browser running on the same host as a cppdap server is sent to the server. As cross-site requests to the localhost can be triggered by untrusted JavaScript, more validation of the DAP messages is required to protect cppdap-based servers from malicious requests. This commit introduces a new enum flag on both `Session` and `ContentReader` to allow a user to indicate that the underlying `Reader` should be closed when an invalid DAP message is received. The server example has been updated to indicate that invalid messages should result in closure of the underlying `Reader`.
2023-07-05 10:29:38 -05:00
parent 93d94a7d85
commit e3379ed8c9
6 changed files with 81 additions and 7 deletions
--- a/examples/simple_net_client_server.cpp
+++ b/examples/simple_net_client_server.cpp
@@ -30,6 +30,11 @@ int main(int, char*[]) {
  auto onClientConnected =
      [&](const std::shared_ptr<dap::ReaderWriter>& socket) {
        auto session = dap::Session::create();
+
+        // Set the session to close on invalid data. This ensures that data received over the network
+        // receives a baseline level of validation before being processed.
+        session->setOnInvalidData(dap::kClose);
+
        session->bind(socket);

        // The Initialize request is the first message sent from the client and