(pulsar) branch master updated: [fix] Potential fix for code scanning alert no. 22: HTTP response splitting (#23976)

Thu, 13 Feb 2025 07:56:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 0e8e50ae260 [fix] Potential fix for code scanning alert no. 22: HTTP 
response splitting (#23976)
0e8e50ae260 is described below

commit 0e8e50ae2609e9f681bb7fb9f7d24cf118b1e6e7
Author: Matteo Merli <[email protected]>
AuthorDate: Thu Feb 13 07:56:13 2025 -0800

    [fix] Potential fix for code scanning alert no. 22: HTTP response splitting 
(#23976)
    
    Co-authored-by: Copilot Autofix powered by AI 
<62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../broker/authentication/AuthenticationProviderSasl.java      | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git 
a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
 
b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
index f8841193ba2..351f8d9cfd3 100644
--- 
a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
+++ 
b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
@@ -271,7 +271,7 @@ public class AuthenticationProviderSasl implements 
AuthenticationProvider {
             } else {
                 
checkState(request.getHeader(SASL_HEADER_STATE).equalsIgnoreCase(SASL_STATE_SERVER_CHECK_TOKEN));
                 setResponseHeaderState(response, SASL_STATE_COMPLETE);
-                response.setHeader(SASL_STATE_SERVER, 
request.getHeader(SASL_STATE_SERVER));
+                response.setHeader(SASL_STATE_SERVER, 
sanitizeHeaderValue(request.getHeader(SASL_STATE_SERVER)));
                 response.setStatus(HttpServletResponse.SC_OK);
                 if (log.isDebugEnabled()) {
                     log.debug("[{}] Server side role token verified success: 
{}", request.getRequestURI(),
@@ -325,4 +325,12 @@ public class AuthenticationProviderSasl implements 
AuthenticationProvider {
             }
         }
     }
+
+    private String sanitizeHeaderValue(String value) {
+        if (value == null) {
+            return null;
+        }
+        // Remove CRLF and other special characters
+        return value.replaceAll("[\\r\\n]", "").replaceAll("[^\\x20-\\x7E]", 
"");
+    }
 }

Reply via email to