saulteafarmer/Stirling-PDF
1
0
Fork 0
mirror of https://github.com/Stirling-Tools/Stirling-PDF.git synced 2025-06-23 16:05:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

(Snyk) Fixed finding: "Improper Neutralization of CRLF Sequences in HTTP Headers" (#3424)

Browse Source 
## Remediation

This change fixes "Improper Neutralization of CRLF Sequences in HTTP
Headers" (id = java/HttpResponseSplitting) identified by Snyk.

## Details

This change ensures that HTTP response header values can't contain
newline characters, leaving you vulnerable to HTTP response splitting
and other attacks.

If malicious users can get newline characters into an HTTP response
header, they can inject and forge new header values that look like they
came from the server, and trick web gateways, proxies, and browsers.
This leads to vulnerabilities like Cross-site Scripting (XSS), HTTP
response splitting, and more attacks from there.

Our change simply makes sure that if the string passed to be a new
response header value is non-null, all the newline characters (CR and
LF) will be removed:
```diff
+ import io.github.pixee.security.Newlines;
  ...
  String orderId = getUserOrderId();
- response.setHeader("X-Acme-Order-ID", orderId);
+ response.setHeader("X-Acme-Order-ID", Newlines.stripAll(orderId));
```

Note: Many modern application servers will sanitize these values, but
it's almost never specified in documentation, and thus there is little
guarantee against regression. Given that, we still recommend this
practice.

<details>
  <summary>More reading</summary>

*
[https://cwe.mitre.org/data/definitions/113](https://cwe.mitre.org/data/definitions/113)
*
[https://www.netsparker.com/blog/web-security/crlf-http-header/](https://www.netsparker.com/blog/web-security/crlf-http-header/)
*
[https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
*
[https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/](https://regilero.github.io/security/english/2015/10/04/http_smuggling_in_2015_part_one/)
</details>

Co-authored-by: pixeebot[bot] <104101892+pixeebot[bot]@users.noreply.github.com>
This commit is contained in:
pixeebot[bot] 2025-04-26 23:25:03 +01:00 committed by GitHub
parent 5f8b208db4
commit 29803562eb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
View File

@ -121,7 +121,7 @@ public class UserBasedRateLimitingFilter extends OncePerRequestFilter {
if (probe.isConsumed()) {
response.setHeader(
"X-Rate-Limit-Remaining",
Newlines.stripAll(Long.toString(probe.getRemainingTokens())));
stripNewlines(Newlines.stripAll(Long.toString(probe.getRemainingTokens()))));
filterChain.doFilter(request, response);
} else {
long waitForRefill = probe.getNanosToWaitForRefill() / 1_000_000_000;
@ -141,4 +141,8 @@ public class UserBasedRateLimitingFilter extends OncePerRequestFilter {
.build();
return Bucket.builder().addLimit(limit).build();
}
private static String stripNewlines(final String s) {
return s.replaceAll("[\n\r]", "");
}
}