chore: relax HTTP header name validation to match RFC 7230
Updated the regex in `src/helpers.ts` to allow all valid characters in an HTTP token (RFC 7230, section 3.2.6), including symbols like `_`, `.`, `!`, and `*`. Previously, the validation was overly restrictive, only allowing alphanumeric characters and hyphens. Also updated the corresponding unit test in `__tests__/helpers.test.ts` to reflect the change.
This commit is contained in:
@@ -214,13 +214,11 @@ valid123: value5`
|
|||||||
|
|
||||||
expect(result).toEqual({
|
expect(result).toEqual({
|
||||||
'valid-header': 'value1',
|
'valid-header': 'value1',
|
||||||
|
invalid_underscore: 'value3',
|
||||||
valid123: 'value5',
|
valid123: 'value5',
|
||||||
})
|
})
|
||||||
|
|
||||||
expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid header'))
|
expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid header'))
|
||||||
expect(core.warning).toHaveBeenCalledWith(
|
|
||||||
expect.stringContaining('Skipping invalid header name: invalid_underscore'),
|
|
||||||
)
|
|
||||||
expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid@header'))
|
expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid@header'))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|||||||
+4
-3
@@ -121,9 +121,10 @@ function validateAndMaskHeaders(headers: Record<string, unknown>): Record<string
|
|||||||
const sensitivePatterns = ['key', 'token', 'secret', 'password', 'authorization']
|
const sensitivePatterns = ['key', 'token', 'secret', 'password', 'authorization']
|
||||||
|
|
||||||
for (const [name, value] of Object.entries(headers)) {
|
for (const [name, value] of Object.entries(headers)) {
|
||||||
// Validate header name (basic HTTP header name validation, RFC 7230: letters, digits, and hyphens)
|
// Validate header name (RFC 7230: token = 1*tchar)
|
||||||
if (!/^[A-Za-z0-9-]+$/.test(name)) {
|
// tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
|
||||||
core.warning(`Skipping invalid header name: ${name} (only alphanumeric characters and hyphens allowed)`)
|
if (!/^[A-Za-z0-9!#$%&'*+\-.^_`|~]+$/.test(name)) {
|
||||||
|
core.warning(`Skipping invalid header name: ${name} (contains invalid characters)`)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user