From 5452a727a77f5d57571f16385ff6d4b750276a6a Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Tue, 28 Jan 2025 03:06:52 +0000
Subject: [PATCH] Introduced protections against HTTP header injection /
 smuggling attacks

---
 pom.xml                                                      | 5 +++--
 .../java/com/acme/headerinjection/HeaderInjectionVuln.java   | 3 ++-
 .../com/acme/headerinjection/HeaderInjectionVulnFixed.java   | 3 ++-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index 9b83a72..dd4d3a4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,8 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <sonar.host.url>https://sonarcloud.io</sonar.host.url>
     <sonar.organization>pixee</sonar.organization>
-  </properties>
+  <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+ </properties>
 
   <dependencyManagement>
     <dependencies>
@@ -31,7 +32,7 @@
       <dependency>
         <groupId>io.github.pixee</groupId>
         <artifactId>java-security-toolkit</artifactId>
-        <version>1.2.0</version>
+        <version>${versions.java-security-toolkit}</version>
       </dependency>
     </dependencies>
   </dependencyManagement>
diff --git a/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java b/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java
index 8a9df00..301cc85 100644
--- a/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java
+++ b/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java
@@ -1,5 +1,6 @@
 package com.acme.headerinjection;
 
+import io.github.pixee.security.Newlines;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.QueryParam;
@@ -11,7 +12,7 @@ public class HeaderInjectionVuln {
 
     @GET
     public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
-        response.setHeader("X-Last-Search", q);
+        response.setHeader("X-Last-Search", Newlines.stripAll(q));
         return "ok";
     }
 }
diff --git a/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java b/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java
index aae054a..e3975e3 100644
--- a/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java
+++ b/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java
@@ -1,5 +1,6 @@
 package com.acme.headerinjection;
 
+import io.github.pixee.security.Newlines;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.QueryParam;
@@ -11,7 +12,7 @@ public class HeaderInjectionVulnFixed {
 
     @GET
     public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
-        response.setHeader("X-Last-Search", stripNewlines(q));
+        response.setHeader("X-Last-Search", Newlines.stripAll(stripNewlines(q)));
         return "ok";
     }