Merge commit from fork

* Don't pass message on to next handler on authentication failures

* Add change log

* Formatting nit

Author: danotorrey

changelog/unreleased/GHSA-q7g5-jq6p-6wvx.toml

@@ -0,0 +1,2 @@
+type = "s"
+message = "Fixed authentication issue for HTTP inputs. [GHSA-q7g5-jq6p-6wvx](https://github.com/Graylog2/graylog2-server/security/advisories/GHSA-q7g5-jq6p-6wvx)"

graylog2-server/src/main/java/org/graylog2/inputs/transports/netty/HttpHandler.java

@@ -61,6 +61,7 @@ protected void channelRead0(ChannelHandlerContext ctx, HttpRequest request) thro
             final String suppliedAuthHeaderValue = request.headers().get(authorizationHeader);
             if (isBlank(suppliedAuthHeaderValue) || !suppliedAuthHeaderValue.equals(authorizationHeaderValue)) {
                 writeResponse(channel, keepAlive, httpRequestVersion, HttpResponseStatus.UNAUTHORIZED, origin);
+                return;
             }
         }
 

graylog2-server/src/test/java/org/graylog2/inputs/transports/netty/HttpHandlerTest.java

@@ -16,6 +16,9 @@
  */
 package org.graylog2.inputs.transports.netty;
 
+import io.netty.buffer.ByteBuf;
+import io.netty.channel.ChannelHandlerContext;
+import io.netty.channel.SimpleChannelInboundHandler;
 import io.netty.channel.embedded.EmbeddedChannel;
 import io.netty.handler.codec.http.DefaultFullHttpRequest;
 import io.netty.handler.codec.http.DefaultHttpRequest;
@@ -235,7 +238,8 @@ private void testAuthentication(String expectedAuthHeader, String expectedAuthHe
 
         httpRequest.content().writeBytes(GELF_MESSAGE);
 
-        channel = new EmbeddedChannel(new HttpHandler(true, expectedAuthHeader, expectedAuthHeaderValue, "/gelf"));
+        final DownstreamHandler downstreamHandler = new DownstreamHandler();
+        channel = new EmbeddedChannel(new HttpHandler(true, expectedAuthHeader, expectedAuthHeaderValue, "/gelf"), downstreamHandler);
         channel.writeInbound(httpRequest);
         channel.finish();
 
@@ -248,5 +252,25 @@ private void testAuthentication(String expectedAuthHeader, String expectedAuthHe
         assertThat(headers.get(ACCESS_CONTROL_ALLOW_CREDENTIALS)).isEqualTo("true");
         assertThat(headers.get(ACCESS_CONTROL_ALLOW_HEADERS)).isEqualTo("Authorization, Content-Type");
         assertThat(headers.get(CONNECTION)).isEqualTo(HttpHeaderValues.CLOSE.toString());
+        if (expectedStatus == HttpResponseStatus.ACCEPTED) {
+            assertThat(downstreamHandler.received).isTrue();
+        }else if (expectedStatus == HttpResponseStatus.UNAUTHORIZED) {
+            assertThat(downstreamHandler.received).isFalse();
+        } else {
+            throw new AssertionError("Unexpected status: " + expectedStatus);
+        }
+    }
+
+    /**
+     * Downstream handler for confirming that authorization failures halt message flow, and that message flow continues
+     * for authentication successes.
+     */
+    private class DownstreamHandler extends SimpleChannelInboundHandler<ByteBuf> {
+        public boolean received = false;
+
+        @Override
+        protected void channelRead0(ChannelHandlerContext channelHandlerContext, io.netty.buffer.ByteBuf httpRequest) throws Exception {
+            this.received = true;
+        }
     }
 }