FISH-9690: adding new version of grizzly to validate headers RFC-9110

[breakponchito]

Adding Header validation for RFC-9110

Description

This is a security fix to prevent issues based on CVE reported here: [CVE-2024-45687](https://www.cve.org/CVERecord?id=CVE-2024-45687) and here glassfish issue

Important Info

Blockers

Testing

New tests

Manual testing:

Testing Performed

To test this set the dependency version on the payara server: 4.0.0.payara-p2 build and run
deploy the following reproducer:
ReproducerJDK11.zip

By default grizzly is setting two new properties that enable the validation of the headers by default. You can customize this behavior by seeting the following properties from UI or by cli command o directly on the domain.xml file

• -Dorg.glassfish.grizzly.http.STRICT_HEADER_NAME_VALIDATION_RFC_9110=true
• -Dorg.glassfish.grizzly.http.STRICT_HEADER_VALUE_VALIDATION_RFC_9110=true

asadmin create-jvm-options --target=server-config "-Dorg.glassfish.grizzly.http.STRICT_HEADER_NAME_VALIDATION_RFC_9110\=true"

asadmin create-jvm-options --target=server-config "-Dorg.glassfish.grizzly.http.STRICT_HEADER_VALUE_VALIDATION_RFC_9110\=true"

after adding the properties you need to restart the server

by default on the grizzly side those properties are set as true

deploy the reproducer and make curl calls

Header Name Validation tests:

• curl -i -v -H $"X-MyHeader\n: hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
• curl -i -v -H $"X-MyHeader\r: hello" http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject

the result of any of those test should be error 400:

this will return status 200 but the header will be discarted because of the \0 character

• curl -i -v -H $'X-MyHeader\0: hello' http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject

Header Value Validations tests:

• curl -i -v -H $'X-MyHeader: he\nllo' http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
  
• curl -i -v -H $'X-MyHeader: he\rllo' http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
  
• curl -i -v -H $'X-MyHeader: he\0llo' http://localhost:8080/PayaraServletProject-1.0-SNAPSHOT/PayaraServletProject
  

The \0 is immediately not processed from curl because by default we can't consider that character on the request headers and the the \r and \n characters are not permitted alone on the header value content

Testing Environment

Windows 11, Azul jdk 11, maven 3.9.5

Documentation

working on documentation

Notes for Reviewers

[breakponchito]

this depend of the following PR: payara/patched-src-grizzly#39

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[breakponchito]

Jenkins test please

[luiseufrasio]

LGTM

[breakponchito]

LGTM