From f43df572325308386d93df2b7fb2448d2b82dc7e Mon Sep 17 00:00:00 2001
From: Matteo Merli <mmerli@apache.org>
Date: Wed, 12 Feb 2025 21:20:30 -0800
Subject: [PATCH 1/2] [fix] Potential fix for code scanning alert no. 22: HTTP
 response splitting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../authentication/AuthenticationProviderSasl.java       | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
index f8841193ba2d2..80edc612caa1f 100644
--- a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
+++ b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
@@ -271,7 +271,7 @@ public boolean authenticateHttpRequest(HttpServletRequest request, HttpServletRe
             } else {
                 checkState(request.getHeader(SASL_HEADER_STATE).equalsIgnoreCase(SASL_STATE_SERVER_CHECK_TOKEN));
                 setResponseHeaderState(response, SASL_STATE_COMPLETE);
-                response.setHeader(SASL_STATE_SERVER, request.getHeader(SASL_STATE_SERVER));
+                response.setHeader(SASL_STATE_SERVER, sanitizeHeaderValue(request.getHeader(SASL_STATE_SERVER)));
                 response.setStatus(HttpServletResponse.SC_OK);
                 if (log.isDebugEnabled()) {
                     log.debug("[{}] Server side role token verified success: {}", request.getRequestURI(),
@@ -325,4 +325,11 @@ public boolean authenticateHttpRequest(HttpServletRequest request, HttpServletRe
             }
         }
     }
+
+    private String sanitizeHeaderValue(String value) {
+        if (value == null) {
+            return null;
+        }
+        return value.replaceAll("[\\r\\n]", "");
+    }
 }

From b64aaf3f8ff0bd2fac66d12323a195d780afc3c5 Mon Sep 17 00:00:00 2001
From: Matteo Merli <mmerli@apache.org>
Date: Wed, 12 Feb 2025 22:27:10 -0800
Subject: [PATCH 2/2] Potential fix for code scanning alert no. 151: HTTP
 response splitting

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../broker/authentication/AuthenticationProviderSasl.java      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
index 80edc612caa1f..351f8d9cfd364 100644
--- a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
+++ b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java
@@ -330,6 +330,7 @@ private String sanitizeHeaderValue(String value) {
         if (value == null) {
             return null;
         }
-        return value.replaceAll("[\\r\\n]", "");
+        // Remove CRLF and other special characters
+        return value.replaceAll("[\\r\\n]", "").replaceAll("[^\\x20-\\x7E]", "");
     }
 }