Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix] Potential fix for code scanning alert no. 22: HTTP response splitting #23976

Merged
merged 2 commits into from
Feb 13, 2025
Merged

[fix] Potential fix for code scanning alert no. 22: HTTP response splitting #23976

merged 2 commits into from
Feb 13, 2025
+9 −1

Conversation

merlimat
Copy link
Contributor

@merlimat merlimat commented Feb 13, 2025
edited
Loading

Potential fix for https://github.com/apache/pulsar/security/code-scanning/22

To fix the problem, we need to ensure that any user-provided input used in HTTP headers is properly sanitized to prevent HTTP response splitting. This can be done by removing or escaping special characters such as CRLF from the input before using it in the response header.

The best way to fix this issue is to create a method that sanitizes the input by removing or escaping special characters and then use this method to sanitize the SASL_STATE_SERVER header value before setting it in the response.

  • doc
  • doc-required
  • doc-not-needed
  • doc-complete

@merlimat @github-advanced-security
[fix] Potential fix for code scanning alert no. 22: HTTP response spl…
f43df57 
…itting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions GitHub Actions
Copy link

@merlimat Please add the following content to your PR description and select a checkbox:

- [ ] `doc` <!-- Your PR contains doc changes -->
- [ ] `doc-required` <!-- Your PR changes impact docs and you will update later -->
- [ ] `doc-not-needed` <!-- Your PR changes do not impact docs -->
- [ ] `doc-complete` <!-- Docs have been already added -->

@merlimat merlimat marked this pull request as ready for review February 13, 2025 05:20
@merlimat merlimat changed the title Potential fix for code scanning alert no. 22: HTTP response splitting [fix] Potential fix for code scanning alert no. 22: HTTP response splitting Feb 13, 2025
@github-actions github-actions bot added doc-not-needed Your PR changes do not impact docs and removed doc-label-missing labels Feb 13, 2025
@merlimat @github-advanced-security
Potential fix for code scanning alert no. 151: HTTP response splitting
b64aaf3 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
lhotari
lhotari approved these changes Feb 13, 2025
View reviewed changes
Copy link
Member

@lhotari lhotari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@merlimat merlimat merged commit 0e8e50a into master Feb 13, 2025
49 of 52 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari lhotari approved these changes

Assignees
No one assigned
Labels
doc-not-needed Your PR changes do not impact docs ready-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@merlimat @lhotari