Crlf Injection in Grape with Bearer Tokens

Crlf Injection occurs when an attacker can inject carriage return (CR, \r) and line feed (\n) characters into an HTTP header, causing the header to be split and additional headers or response splitting to occur. In Grape, a Ruby API framework, this risk is heightened when authentication relies on Bearer Tokens in the Authorization header and user-controlled input is reflected into headers or status code text without sanitization.

Consider a Grape endpoint that echoes a token value or uses it to build custom headers or log entries. If an attacker provides a token like valid-token\r\nX-Injected: malicious, and the application directly uses that value in a header assignment or response generation, the injected CRLF sequence can terminate the current header line and start a new one. This can lead to response splitting, header injection, or the smuggling of malicious headers such as Set-Cookie or Location, which may bypass intended security boundaries.

The combination of Bearer Token handling and dynamic header construction is particularly dangerous because APIs often parse the Authorization header, extract the token, and then reflect or log it. If the logging or downstream processing reuses that value in headers—such as X-Request-Token—without strict validation, the injected CRLF can alter the structure of the HTTP response. This may enable attacks like cross-site scripting via response splitting in some client implementations, cache poisoning, or the injection of additional headers that the framework does not intend to expose.

Grape does not inherently sanitize inputs that are used in header contexts. Developers might concatenate user input into headers using Ruby string interpolation, assuming the values are safe because they come from the Authorization header. However, if the token is extracted via regex or string split and then reused, the embedded CRLF characters remain intact. This creates a scenario where an unauthenticated or authenticated request can manipulate the response headers, violating the integrity of the message protocol and potentially exposing sensitive information or enabling further attacks.

Real-world examples include logging mechanisms that write the Authorization header value to a file or network sink without escaping, or custom middleware that adds the token to a diagnostic header. In such cases, the CRLF injection does not require authentication to trigger, as the attacker can supply the malicious token directly in the request. The framework’s permissiveness in header handling means that the injected sequences are passed through to the underlying server, which processes them as valid header delimiters.

Because Grape APIs often serve as backend services for single-page applications or mobile clients, the impact of response splitting can extend beyond the immediate HTTP transaction. Attackers may leverage this to manipulate downstream caches, poison proxy servers, or craft responses that execute scripts in vulnerable clients. The use of Bearer Tokens does not mitigate this; instead, improper handling of these tokens in header construction amplifies the risk by providing a trusted channel for attacker-controlled data to influence the response structure.

Remediation focuses on strict input validation, avoiding header concatenation with user-controlled data, and ensuring that Bearer Token values are never directly reused in header construction. Below are concrete, secure coding practices for Grape applications.

1. Reject Tokens Containing CRLF Sequences

Validate the token immediately after extraction and reject any that contain \r or \n. This prevents injected sequences from entering any downstream processing.

# In a Grape API class or before_filter
before do
  auth_header = request.env['HTTP_AUTHORIZATION']
  if auth_header&.start_with?('Bearer ')
    token = auth_header.split(' ').last
    if token&.match?(/[\r\n]/)
      error!('Invalid token format', 400)
    end
    # Proceed with verified token
  else
    error!('Missing Authorization header', 401)
  end
end

2. Avoid Using Token Values in Headers

Do not assign Bearer Token values to custom response headers. If debugging or tracing is required, use a sanitized identifier or hash instead of the raw token.

# Unsafe: reflecting token in a header
# header['X-Request-Token'] = token

# Safe: use a non-sensitive reference
request_id = SecureRandom.uuid
header['X-Request-ID'] = request_id
# Log the request_id separately for traceability without exposing the token

3. Use Framework-Aware Authentication Helpers

Leverage Grape’s built-in helpers or established libraries (e.g., Knock, Devise) that handle token parsing safely and avoid manual string manipulation that could overlook CRLF characters.

# Using a dedicated authentication method
def current_user
  @current_user ||= User.find_by(auth_token: sanitize_token(params[:token]))
end

def sanitize_token(token)
  return nil if token.to_s.match?(/[\r\n]/)
  # Additional validation logic
  token
end

4. Secure Logging and Error Reporting

Ensure that any logging of Authorization headers redacts or hashes the token value. Never write raw token strings to logs where CRLF injection could alter log structure or be used in log injection attacks.

# Unsafe logger output
# logger.info("Token: #{token}")

# Safe logger output
logger.info("Token present: #{token.present?}, fingerprint: #{Digest::SHA256.hexdigest(token)}")

5. Enforce Strict Content Security and Response Headers

Configure middleware or server-level protections to prevent response splitting. While this is not a substitute for input validation, it adds a layer of defense against malformed responses.

# In config.ru or server configuration
use Rack::Deflater
# Ensure no custom header injection occurs in application code

By combining input validation, avoiding header reflection, and using secure logging, Grape applications can effectively neutralize CRLF injection risks associated with Bearer Tokens. These measures align with secure coding standards and reduce the attack surface without compromising API functionality.