From 2a95943cfc050657eb6495a46322c66fde000c46 Mon Sep 17 00:00:00 2001 From: "pixeebot-test[bot]" <123999551+pixeebot-test[bot]@users.noreply.github.com> Date: Sun, 21 Jul 2024 02:06:39 +0000 Subject: [PATCH] Introduced protections against HTTP header injection / smuggling attacks --- .../java/com/acme/headerinjection/HeaderInjectionVuln.java | 3 ++- .../com/acme/headerinjection/HeaderInjectionVulnFixed.java | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java b/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java index 8a9df00..301cc85 100644 --- a/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java +++ b/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java @@ -1,5 +1,6 @@ package com.acme.headerinjection; +import io.github.pixee.security.Newlines; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import jakarta.ws.rs.QueryParam; @@ -11,7 +12,7 @@ public class HeaderInjectionVuln { @GET public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) { - response.setHeader("X-Last-Search", q); + response.setHeader("X-Last-Search", Newlines.stripAll(q)); return "ok"; } } diff --git a/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java b/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java index aae054a..e3975e3 100644 --- a/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java +++ b/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java @@ -1,5 +1,6 @@ package com.acme.headerinjection; +import io.github.pixee.security.Newlines; import jakarta.ws.rs.GET; import jakarta.ws.rs.Path; import jakarta.ws.rs.QueryParam; @@ -11,7 +12,7 @@ public class HeaderInjectionVulnFixed { @GET public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) { - response.setHeader("X-Last-Search", stripNewlines(q)); + response.setHeader("X-Last-Search", Newlines.stripAll(stripNewlines(q))); return "ok"; }