Proper fix to - Pr 86

[AjayPAnand]

Description

Fixes HTTP Request Smuggling vulnerability identified on the /api/activity_types/ endpoint (and related endpoints). The backend was responding inconsistently to malformed HTTP requests (returning HTTP 419, 501, and other errors), indicating misaligned request parsing between the Nginx reverse proxy and the backend API server.

This change hardens the Nginx proxy configuration to enforce consistent HTTP/1.1 request handling, reject ambiguous headers, and buffer requests before forwarding — eliminating the desynchronisation window that enables smuggling attacks.

Fixes # (issue)

---

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

---

Changes made

production/shared-files/proxy-nginx.conf

• ignore_invalid_headers on — instructs Nginx to silently drop unrecognised or malformed headers rather than forwarding them to the backend, preventing header injection via ambiguous fields.
• client_header_timeout 10s / client_body_timeout 10s — limits how long Nginx waits for a slow or incomplete request, closing the connection before a partial/smuggled request can be processed.
• proxy_set_header Connection "" — clears the Connection header before forwarding, preventing hop-by-hop header smuggling between the proxy and backend.
• proxy_http_version 1.1 — forces HTTP/1.1 between Nginx and the backend, enabling keep-alive and ensuring consistent chunked-encoding handling.
• proxy_request_buffering on / proxy_buffering on — Nginx fully buffers the client request before forwarding, ensuring the backend only ever receives complete, validated requests — eliminating the desync window.

doubtfire-api — submodule updated to commit a1ea9b2 (dirty)
doubtfire-web — submodule updated to commit 14f0746 (dirty)

---

How has this been tested?

1. Start the application and confirm all Docker containers are running:

   docker compose up
   docker ps
   

2. Open Burp Suite and configure your browser to proxy through it.
3. Navigate to the application and capture a request to /api/activity_types/.
4. In Burp Suite Repeater, send the captured request normally — confirm a valid HTTP/1.1 200 OK response.
5. Craft and send malformed variants (mixed Content-Length/Transfer-Encoding, partial headers, duplicate headers) — confirm Nginx now returns a consistent 400 Bad Request rather than 419 CUSTOM, 501 Not Implemented, or partial responses.
6. Confirm normal application functionality is unaffected.

• Test A — Normal request to /api/activity_types/ returns expected response
• Test B — Malformed/smuggled requests are rejected with a consistent error, not passed to backend, Screenshots attached for reference.

---

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation if appropriate
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• I have created or extended unit tests to address my new additions
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

---

Security context

Vulnerability: HTTP Request Smuggling (HRS)
Affected endpoint: http://localhost:3000/api/activity_types/
Risk: Significant impact / Moderate likelihood
Discovery method: Burp Suite Repeater - malformed requests produced inconsistent responses (HTTP 419, 501, partial errors), indicating frontend/backend request parsing desynchronisation.

References:

• https://portswigger.net/web-security/request-smuggling

[sabdosh]

Burp Suite Repeater was used to validate the HTTP Request Smuggling remediation. A normal request to /api/activity_types returned HTTP/1.1 200 OK, confirming normal functionality remained operational. Multiple malformed requests using conflicting Content-Length, mixed Transfer-Encoding, and duplicate headers were then tested. These requests returned 400 Bad Request or 408 Request Timeout, demonstrating that Nginx now safely rejects ambiguous requests rather than forwarding them to the backend. No partial responses, custom 419 errors, or 501 responses were observed.

[224599437]

Tested this branch end-to-end following the steps in the PR description. All Docker containers came up cleanly. Normal application functionality is unaffected — confirmed via a standard GET to /api/activity_types/ returning 200 OK with the expected JSON payload (see screenshot). Crafted several malformed request variants in Burp Suite Repeater (mixed Content-Length/Transfer-Encoding, duplicate headers, partial requests) — all consistently returned 400 Bad Request with no backend leakage. The inconsistent 419 CUSTOM and timeout behaviour observed pre-fix is no longer reproducible. Behaviour is exactly what the PR claims.

[SteveDala]

Is this a dependency for the changes?

[SteveDala]

This is not the correct way to adjust the database schema. Please revert this file and make a Rails migration file (run, for example rails generate migration AddEnforceFeedbackBeforeDiscussionToUnits)