Skip to content

security: audit and prevent header injection via addHeader() #66

Description

@usernane

Problem

The addHeader() method validates that the name is a non-empty string and that the value is a string, but does not check for CRLF characters (\r\n) in either the header name or value. Malicious or malformed input could potentially inject additional headers.

Current Validation

if (typeof name === "string") {
    name = name.trim();
    if (name.length > 0) {
        if (typeof value === "string") {
            this.customHeaders[name] = value;
        }
    }
}

Suggested Fix

Reject header names and values that contain \r, \n, or \0:

function isValidHeaderValue(str) {
    return !/[\r\n\0]/.test(str);
}

Expected Outcome

  • addHeader("X-Custom\r\nEvil: injected", "value") should return false and log a warning
  • addHeader("X-Custom", "value\r\nEvil: injected") should return false and log a warning

Note

Modern browsers block this at the XHR level, but defense-in-depth is appropriate for a library.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingpriority: mediumMedium priority issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions