Invoke-WebRequest/Invoke-RestMethod: PR #10034 violates RFC7230 and therefore breaks HTTP Desync Mitigation modes #15186
Description
Background
PR #10034 that fixes issue #9473 and has been introduced in 7.0.0-preview.2.
This sets a String.Empty body for GET requests in Invoke-WebRequest and Invoke-RestMethod which usually do not have a body.
Unfortunately this also leads .NET to add a Content-Length: 0 header because of the String.Empty HTTP request body.
And this breaks RFC7230, see the official RFC7230 Section 3.3.2: https://tools.ietf.org/html/rfc7230#section-3.3.2
A user agent SHOULD NOT send a
Content-Length header field when the request message does not contain
a payload body and the method semantics do not anticipate such a
body.
Why is this a problem?
- To prevent HTTP Request Smuggling attacks Cloud Service Providers such as AWS and vendors of Application Load Balancers have implemented so-called "HTTP Desync Mitigation modes".
- On AWS the "Strictest Mode" for example blocks all requests that are not RFC7230 conform.
** See https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#desync-mitigation-mode for explanation - Here is a list of classification reasons that are not RFC7230 conform: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#classification-reasons
**GetHeadZeroContentLength- There is aContent-Lengthheader with a value of 0 for a GET or HEAD request.
** This classifies the request asAcceptablewhich is being blocked in "Strictest Mode" - You cannot use
Invoke-WebRequestorInvoke-RestMethodon AWS hosted websites where this setting has been set - This will result in a HTTP 400 - Bad Request
- This might also affect other Cloud Service Providers like Azure or Google Cloud Platform, but I cannot confirm that, as I'm only using AWS.
Steps to reproduce
- On an AWS Application Load Balancer set the HTTP Desync Mitigation Mode to "Strictest Mode"
- Then try a simple
Invoke-WebRequestonPowerShell 7.0.0-preview.2or above:
MY C:\> Invoke-WebRequest -Uri "https://mywebsite.example.com/"
Invoke-WebRequest:
400 Bad Request
400 Bad RequestExpected behavior
- Do not set a
Content-Length: 0header as it is not RFC7230 conform if you do not have a HTTP Request body
Actual behavior
- PowerShell 7 always sets the HTTP header
Content-Length: 0for GET/HEAD requests without HTTP Request body and therefore violates RFC7230
Environment data
- This is reproducible on AWS Lambda with
PowerShell 7.0.0on Linux as well as on Windows 10 withPowerShell 7.1.0