Strict parser for HSTS

As suggested in #2381 this parses strictly the value for mag-age in the HSTS header line. While it is implemented only in run_hsts() it could be extracted to a separate functioni in the future and used elsewhere too. The improvement is more strict and catches e.g. '==' signs and issues a warning. See https://www.rfc-editor.org/rfc/rfc6797#section-6.1.1 . Also it is picky regarding quotes now which are only allowed enclosing the value.
2025-01-30 20:31:15 +01:00 · 2023-08-28 18:33:41 +02:00 · 2023-08-28 18:33:41 +02:00 · 01ab3acde5
commit 01ab3acde5
parent 1e7219f344
1 changed files with 32 additions and 20 deletions
--- a/testssl.sh
+++ b/testssl.sh
@ -2715,8 +2715,19 @@ run_hsts() {
     match_httpheader_key "Strict-Transport-Security" "HSTS" "$spaces" "true"
     if [[ $? -ne 0 ]]; then
          echo "$HEADERVALUE" >$TMPFILE
-          hsts_age_sec="${HEADERVALUE//[^0-9]/}"
+          # strict parsing now as suggested in #2381
+          hsts_age_sec="${HEADERVALUE#*=}"
+          hsts_age_sec=${hsts_age_sec%%;*}
+          if [[ $hsts_age_sec =~ \" ]]; then
+               # remove first an last " in $hsts_age_sec (borrowed from strip_trailing_space/strip_leading_space):
+               hsts_age_sec=$(printf "%s" "${hsts_age_sec#"${hsts_age_sec%%[!\"]*}"}")
+               hsts_age_sec=$(printf "%s" "${hsts_age_sec%"${hsts_age_sec##*[!\"]}"}")
+          fi
          debugme echo "hsts_age_sec: $hsts_age_sec"
+          if ! is_number "$hsts_age_sec"; then
+               pr_svrty_medium "misconfiguration: \'"$hsts_age_sec"\' is not a valid max-age specification"
+               fileout "${jsonID}_time" "MEDIUM" "misconfiguration, specified not a number for max-age"
+          else
               if [[ -n $hsts_age_sec ]]; then
                    hsts_age_days=$(( hsts_age_sec / 86400))
               else
@ -2738,6 +2749,7 @@ run_hsts() {
                    fileout "${jsonID}_time" "MEDIUM" "max-age too short. $hsts_age_days days (=$hsts_age_sec seconds) < $HSTS_MIN seconds"
                    set_grade_cap "A" "HSTS max-age is too short"
               fi
+          fi
          if includeSubDomains "$TMPFILE"; then
               fileout "${jsonID}_subdomains" "OK" "includes subdomains"
          else