Header injection and path forgery [security issue]

[n0npax]

I believe there is a security issue with the current implementation of Request.

The full example can be found here

What's wrong:

Request is passing method verb as is to the stream without any kind of validation.
basically:

  var r = Request(
      "GET http://example.com/ HTTP/1.1\r\nHost: example.com\r\nLLAMA:",
      Uri(scheme: "http", path: "/llama", host: "localhost"));
  var rs = await r.send();

generates request like:

sudo nc -l 127.0.0.1 80 
GET HTTP://EXAMPLE.COM/ HTTP/1.1
HOST: EXAMPLE.COM
LLAMA: /llama HTTP/1.1
user-agent: Dart/2.10 (dart:io)
accept-encoding: gzip
content-length: 0
host: localhost

What I'd expect

If HTTP verb(method) is not a part of the known set of verbs (GET/PUT/HEAD/...) I'd expect an exception to be thrown

Why this is a security risk

If the developer is using Request to abstract generating HTTP calls and he's accepting a method param from the user, the user can do some magic like header injection or path forgery.
This can be exploited in many ways and seems to be quite important especially in case there is a reverse proxy is in place. A proxy may just pass someone's request to any host.
By running snippet behind a proxy, I was nicely redirected(like this) to example.com which was injected as per the example above.
Let's assume I'm replacing example.com with my-hackery-uservice.org and the victim is working in a company behind the proxy. This means I can redirect calls with headers/cookies(tokens) and blah blah blah.

[n0npax]

StreamedRequest is also affected.