FISH-9690: adding new version of grizzly to validate headers RFC-9110

[breakponchito]

Adding Header validation for RFC-9110

Description

This is a security fix to prevent issues based on CVE reported here: [CVE-2024-45687](https://www.cve.org/CVERecord?id=CVE-2024-45687) and here glassfish issue

Important Info

Blockers

Testing

New tests

Manual testing:

Testing Performed

To test this set the dependency version on the payara server: 4.0.2.payara-p2 build and run
deploy the following reproducer:
ReproducerJDK11.zip

after starting the server set the following properties on the Payara configuration. You can do it by console ui, command line or directly on the domain.xml file:

• -Dorg.glassfish.grizzly.http.STRICT_HEADER_NAME_VALIDATION_RFC_9110=true
• -Dorg.glassfish.grizzly.http.STRICT_HEADER_VALUE_VALIDATION_RFC_9110=true

asadmin create-jvm-options --target=server-config "-Dorg.glassfish.grizzly.http.STRICT_HEADER_NAME_VALIDATION_RFC_9110\=true"

asadmin create-jvm-options --target=server-config "-Dorg.glassfish.grizzly.http.STRICT_HEADER_VALUE_VALIDATION_RFC_9110\=true"

after adding the properties you need to restart the server

by default on the grizzly side those properties are set as false

deploy the reproducer and make curl calls

Header Name Validation tests:

• curl -i -v -H $"X-MyHeader\n: hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
• curl -i -v -H $"X-MyHeader\r: hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
• curl -i -v -H $"X-MyHeader\0: hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject

the result of any of those test should be error 400:

Header Value Validations tests:

• curl -i -v -H $'X-MyHeader: he\nllo' http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
  
• curl -i -v -H $'X-MyHeader: he\rllo' http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
  
• curl -i -v -H $'X-MyHeader: he\0llo' http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
  

In the case of header validation we can't be very strict on the validation that is why the \n is permitted an is evaluated as a new line on the content for the header value and the \0 is immediately not processed from curl because by default we can't consider that character on the request headers and the \r character can be included as a character on the header values and this will be rejected

Testing Environment

Windows 11, Azul jdk 11, maven 3.9.5

Documentation

working on documentation

Notes for Reviewers

[breakponchito]

this depend of the following PR: payara/patched-src-grizzly#39

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[Pandrex247]

We shouldn't ever be adding anything to this.
Please rework the Grizzly change

Suggested change

<exclude>org.glassfish.grizzly.http</exclude>