[fix] Potential fix for code scanning alert no. 22: HTTP response spl…

…itting (#23976) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
apache · Feb 13, 2025 · 0e8e50a · 0e8e50a
1 parent ee5b13a
commit 0e8e50a
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/...asl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java b/...asl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
@@ -271,7 +271,7 @@ public boolean authenticateHttpRequest(HttpServletRequest request, HttpServletRe
             } else {
                 checkState(request.getHeader(SASL_HEADER_STATE).equalsIgnoreCase(SASL_STATE_SERVER_CHECK_TOKEN));
                 setResponseHeaderState(response, SASL_STATE_COMPLETE);
-                response.setHeader(SASL_STATE_SERVER, request.getHeader(SASL_STATE_SERVER));
+                response.setHeader(SASL_STATE_SERVER, sanitizeHeaderValue(request.getHeader(SASL_STATE_SERVER)));
                 response.setStatus(HttpServletResponse.SC_OK);
                 if (log.isDebugEnabled()) {
                     log.debug("[{}] Server side role token verified success: {}", request.getRequestURI(),
@@ -325,4 +325,12 @@ public boolean authenticateHttpRequest(HttpServletRequest request, HttpServletRe
             }
         }
     }
+
+    private String sanitizeHeaderValue(String value) {
+        if (value == null) {
+            return null;
+        }
+        // Remove CRLF and other special characters
+        return value.replaceAll("[\\r\\n]", "").replaceAll("[^\\x20-\\x7E]", "");
+    }
 }