Reject suspicious encoded characters

Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>

pkg/server/server_entrypoint_tcp.go

@@ -608,6 +608,8 @@ func createHTTPServer(ctx context.Context, ln net.Listener, configuration *stati
 
 	handler = denyFragment(handler)
 
+	handler = denyEncodedCharacters(configuration.HTTP.EncodedCharacters.Map(), handler)
+
 	serverHTTP := &http.Server{
 		Protocols:    &protocols,
 		Handler:      handler,
@@ -707,6 +709,37 @@ func encodeQuerySemicolons(h http.Handler) http.Handler {
 	})
 }
 
+// denyEncodedCharacters reject the request if the escaped path contains encoded characters.
+func denyEncodedCharacters(encodedCharacters map[string]struct{}, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
+		escapedPath := req.URL.EscapedPath()
+
+		for i := 0; i < len(escapedPath); i++ {
+			if escapedPath[i] != '%' {
+				continue
+			}
+
+			// This should never happen as the standard library will reject requests containing invalid percent-encodings.
+			// This discards URLs with a percent character at the end.
+			if i+2 >= len(escapedPath) {
+				rw.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			// This rejects a request with a path containing the given encoded characters.
+			if _, exists := encodedCharacters[escapedPath[i:i+3]]; exists {
+				log.FromContext(req.Context()).Debugf("Rejecting request because it contains encoded character %s in the URL path: %s", escapedPath[i:i+3], escapedPath)
+				rw.WriteHeader(http.StatusBadRequest)
+				return
+			}
+
+			i += 2
+		}
+
+		h.ServeHTTP(rw, req)
+	})
+}
+
 // When go receives an HTTP request, it assumes the absence of fragment URL.
 // However, it is still possible to send a fragment in the request.
 // In this case, Traefik will encode the '#' character, altering the request's intended meaning.

pkg/server/server_entrypoint_tcp_test.go

@@ -429,6 +429,59 @@ func TestSanitizePath(t *testing.T) {
 	}
 }
 
+func TestDenyEncodedCharacters(t *testing.T) {
+	tests := []struct {
+		name       string
+		encoded    map[string]struct{}
+		url        string
+		wantStatus int
+	}{
+		{
+			name: "Rejects disallowed characters",
+			encoded: map[string]struct{}{
+				"%0A": {},
+				"%0D": {},
+			},
+			url:        "http://example.com/foo%0Abar",
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name: "Allows valid paths",
+			encoded: map[string]struct{}{
+				"%0A": {},
+				"%0D": {},
+			},
+			url:        "http://example.com/foo%20bar",
+			wantStatus: http.StatusOK,
+		},
+		{
+			name: "Handles empty path",
+			encoded: map[string]struct{}{
+				"%0A": {},
+			},
+			url:        "http://example.com/",
+			wantStatus: http.StatusOK,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			t.Parallel()
+
+			handler := denyEncodedCharacters(test.encoded, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			}))
+
+			req := httptest.NewRequest(http.MethodGet, test.url, nil)
+			res := httptest.NewRecorder()
+
+			handler.ServeHTTP(res, req)
+
+			assert.Equal(t, test.wantStatus, res.Code)
+		})
+	}
+}
+
 func TestNormalizePath(t *testing.T) {
 	unreservedDecoded := "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"
 	unreserved := []string{
@@ -575,6 +628,10 @@ func TestPathOperations(t *testing.T) {
 	configuration := &static.EntryPoint{}
 	configuration.SetDefaults()
 
+	// We need to allow some of the suspicious encoded characters to test the path operations in case they are authorized.
+	configuration.HTTP.EncodedCharacters.AllowEncodedSlash = true
+	configuration.HTTP.EncodedCharacters.AllowEncodedPercent = true
+
 	// Create the HTTP server using createHTTPServer.
 	server, err := createHTTPServer(t.Context(), ln, configuration, false, requestdecorator.New(nil))
 	require.NoError(t, err)