Possible Parameter Pollution Vulnerability

30 views
Skip to first unread message

Gal Goldshtein

unread,
Sep 9, 2020, 6:58:07 AM9/9/20
to grpc.io

I sent the following email message to grpc-s...@googlegroups.com about a month ago and received no response so trying my luck here:

Hi,


We wanted to report that gRPC current behavior may lead to an attack similar to “parameter pollution”.

 

When sending a request to a gRPC endpoint and repeating the same field index with the same wire type but different values, the gRPC implementation will pass to the application endpoint only the last occurrence.

This behavior may lead to a situation in which proxies or WAFs which tries to make decisions according to the field value may be fooled if their protobuf parser will process the first occurrence of the field instead of the last one.

 

In our view the expected behavior should be denying protobuf messages containing repeated instances of the same field when the field was not explicitly set with the “repeated” keyword in the proto file.

 

Attaching the proto file we used and the message we sent.

 

Thanks,

Gal

Michael Lumish

unread,
Sep 9, 2020, 2:50:22 PM9/9/20
to Gal Goldshtein, grpc.io
The existing behavior you describe is correct. The spec (https://developers.google.com/protocol-buffers/docs/encoding#optional) says "For numeric types and strings, if the same field appears multiple times, the parser accepts the last value it sees. For embedded message fields, the parser merges multiple instances of the same field, as if with the Message::MergeFrom method – that is, all singular scalar fields in the latter instance replace those in the former, singular embedded messages are merged, and repeated fields are concatenated." A parser that uses the first value instead is behaving in violation of the specification.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/5765a926-cad8-45df-92eb-84a54ef9b7e1n%40googlegroups.com.

Gal Goldshtein

unread,
Sep 9, 2020, 3:12:50 PM9/9/20
to Michael Lumish, grpc.io
Thanks, somehow I missed it. 
Reply all
Reply to author
Forward
0 new messages