Skip to content

feat: block when Request-Range header is used#4436

Merged
fzipi merged 2 commits into
mainfrom
chore/remove-request-range
Jan 28, 2026
Merged

feat: block when Request-Range header is used#4436
fzipi merged 2 commits into
mainfrom
chore/remove-request-range

Conversation

@fzipi
Copy link
Copy Markdown
Member

@fzipi fzipi commented Jan 28, 2026

what

  • add new rule for blocking Request-Range header
  • added tests:

Positive Tests (17 tests - should trigger rule 920660):

  1. Basic Request-Range usage (tests 1-4): Simple byte ranges, open-ended ranges, suffix ranges, and multiple ranges
  2. Case variations (tests 5-6): Mixed case and uppercase variations of the header
  3. Different HTTP methods (tests 7-9): GET, POST, HEAD, and PUT requests
  4. Edge cases (tests 10-12): Whitespace in values, large ranges, zero ranges
  5. Historical context (tests 13-14): Simulating old Netscape Navigator and MSIE 3 browsers from the 1990s
  6. Malformed headers (tests 15-16): Invalid syntax and empty values (header still present)
  7. Mixed scenarios (test 17): Both obsolete Request-Range and standard Range headers present

Negative Tests (13 tests - should NOT trigger):

  1. Standard RFC 9110 Range header (tests 18-19): Modern, compliant Range headers
  2. No range headers (tests 20-21): Normal requests without any range-related headers
  3. Other range-related headers (tests 22-24): If-Range, Content-Range, Accept-Ranges
  4. Modern browsers (tests 25-26): Chrome and Firefox with standard Range headers
  5. Edge cases (tests 27-30): Query parameters, POST body content, custom headers (X-Request-Range), and HEAD requests without range headers

why

  • it is obsolete

refs

@fzipi
feat: block when Request-Range header is used
fc90475 
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
@fzipi fzipi requested a review from a team January 28, 2026 14:47
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jan 28, 2026
edited
Loading

📊 Quantitative test results for language: eng, year: 2023, size: 10K, paranoia level: 1:
🚀 Quantitative testing did not detect new false positives

@fzipi fzipi mentioned this pull request Jan 28, 2026
Closed
4 tasks
@fzipi
fix: add proper tags to new rule
c11588f 
Signed-off-by: Felipe Zipitria <felipe.zipitria@owasp.org>
@fzipi fzipi added the release:new-feature This PR introduces a new feature label Jan 28, 2026
@fzipi fzipi added this pull request to the merge queue Jan 28, 2026
Merged via the queue into main with commit b54474b Jan 28, 2026
8 checks passed
@fzipi fzipi deleted the chore/remove-request-range branch January 28, 2026 19:02
@theseion theseion mentioned this pull request Feb 2, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@airween airween airween approved these changes

Assignees

No one assigned

Labels

release:new-feature This PR introduces a new feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fzipi @airween