Skip to content

Commit

Permalink
Merge pull request from GHSA-hh82-3pmq-7frp
Browse files Browse the repository at this point in the history
Motivation:
The setObject methods that took arrays and iterators as arguments provided a way to bypass value validation.

Modification:
Add the missing value validation checks.

Result:
It is no longer possibel to bypass value validation in DefaultHeaders based implementations, including DefaultHttpHeaders.
  • Loading branch information
chrisvest committed Dec 12, 2022
1 parent cd91cf3 commit fe18adf
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.function.Executable;

import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
Expand All @@ -41,6 +41,7 @@

public class DefaultHttpHeadersTest {
private static final CharSequence HEADER_NAME = "testHeader";
private static final CharSequence ILLEGAL_VALUE = "testHeader\r\nContent-Length:45\r\n\r\n";

@Test
public void nullHeaderNameNotAllowed() {
Expand Down Expand Up @@ -234,6 +235,28 @@ public void setObjectIterable() {
assertDefaultValues(headers, HeaderValue.THREE);
}

@Test
public void setCharSequenceValidatesValue() {
final DefaultHttpHeaders headers = newDefaultDefaultHttpHeaders();
assertThrows(IllegalArgumentException.class, new Executable() {
@Override
public void execute() throws Throwable {
headers.set(HEADER_NAME, ILLEGAL_VALUE);
}
});
}

@Test
public void setIterableValidatesValue() {
final DefaultHttpHeaders headers = newDefaultDefaultHttpHeaders();
assertThrows(IllegalArgumentException.class, new Executable() {
@Override
public void execute() throws Throwable {
headers.set(HEADER_NAME, Collections.singleton(ILLEGAL_VALUE));
}
});
}

@Test
public void toStringOnEmptyHeaders() {
assertEquals("DefaultHttpHeaders[]", newDefaultDefaultHttpHeaders().toString());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -532,7 +532,9 @@ public T setObject(K name, Iterable<?> values) {
if (v == null) {
break;
}
add0(h, i, name, fromObject(name, v));
V converted = fromObject(name, v);
validateValue(valueValidator, name, converted);
add0(h, i, name, converted);
}

return thisT();
Expand All @@ -550,7 +552,9 @@ public T setObject(K name, Object... values) {
if (v == null) {
break;
}
add0(h, i, name, fromObject(name, v));
V converted = fromObject(name, v);
validateValue(valueValidator, name, converted);
add0(h, i, name, converted);
}

return thisT();
Expand Down

0 comments on commit fe18adf

Please sign in to comment.