fix: validate response headers before sending, prevent invalid transform input#921
Open
fix: validate response headers before sending, prevent invalid transform input#921
Conversation
ferhatelmas
reviewed
Mar 19, 2026
| const headers = reply.getHeaders() | ||
|
|
||
| for (const [key, value] of Object.entries(headers)) { | ||
| if (typeof value === 'string' && INVALID_HEADER_CHAR_PATTERN.test(value)) { |
Member
There was a problem hiding this comment.
reply.getHeaders() type includes string array.
I think we don't use but shall we add coverage since this is generic
ferhatelmas
reviewed
Mar 19, 2026
ferhatelmas
reviewed
Mar 19, 2026
ferhatelmas
reviewed
Mar 19, 2026
ferhatelmas
reviewed
Mar 19, 2026
| ) | ||
| app.register(plugins.tracing) | ||
| app.register(plugins.logRequest({ excludeUrls: excludedRoutesFromMonitoring })) | ||
| app.register(plugins.headerValidator) |
Member
There was a problem hiding this comment.
Probably negligible and fine, I would use excludedRoutesFromMonitoring to skip this.
Aside we should probably switch it into a set that also contains / variants
ferhatelmas
reviewed
Mar 19, 2026
| * Invalid: control characters (0x00-0x1F except TAB) and DEL (0x7F). | ||
| * @see https://tools.ietf.org/html/rfc7230#section-3.2 | ||
| */ | ||
| const INVALID_HEADER_CHAR_PATTERN = /[^\t\x20-\x7e\x80-\xff]/ |
ferhatelmas
approved these changes
Mar 19, 2026
Member
ferhatelmas
left a comment
ferhatelmas
left a comment
There was a problem hiding this comment.
My main points are addressed. Others are nice to have so approving 👍🏻
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
Bug fix
What is the current behavior?
ERR_INVALID_CHARwhich is an uncaught exception resulting in a process crashWhat is the new behavior?
Validate response headers before sending and throw an http error instead of allowing node to crash. This acts as a backstop for any invalid response header type errors.
Add missing query parameters validation for transform operations to prevent the invalid input from being set in the first place
Additional context
This issue could be triggered via
format,resize, andqualityquery params on all of the following endpoints:HEAD /object/public/bucket-name/file-name.jpgHEAD /object/authenticated/bucket-name/file-name.jpgHEAD/object/bucket-name/file-name.jpgGET /object/info/public/bucket-name/file-name.jpgGET /object/info/authenticated/bucket-name/file-name.jpgGET /object/info/bucket-name/file-name.jpgWithout header validation any invalid chars in a header results in an uncaught exception
With header validation we handle the characters gracefully and log the offending header
With query param validation this is handled earlier by fastify validation (FST_ERR_VALIDATION)