Merge pull request #11 from Pet3cy/relax-header-validation-16962389466518057682

🧹 Relax overly restrictive HTTP header name validation
This commit is contained in:
Pet3cy
2026-02-24 18:45:30 +01:00
committed by GitHub
2 changed files with 5 additions and 6 deletions
+4 -3
View File
@@ -121,9 +121,10 @@ function validateAndMaskHeaders(headers: Record<string, unknown>): Record<string
const sensitivePatterns = ['key', 'token', 'secret', 'password', 'authorization']
for (const [name, value] of Object.entries(headers)) {
// Validate header name (basic HTTP header name validation, RFC 7230: letters, digits, and hyphens)
if (!/^[A-Za-z0-9-]+$/.test(name)) {
core.warning(`Skipping invalid header name: ${name} (only alphanumeric characters and hyphens allowed)`)
// Validate header name (RFC 7230: token = 1*tchar)
// tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
if (!/^[A-Za-z0-9!#$%&'*+\-.^_`|~]+$/.test(name)) {
core.warning(`Skipping invalid header name: ${name} (contains invalid characters)`)
continue
}