[Headers][Fix] Now filtering out CRLF injection from headers

Respawnsive · Dec 9, 2024 · 7b05103 · 7b05103
1 parent b615b1b
commit 7b05103
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 4 deletions.
diff --git a/Apizr/Src/Apizr.Extensions.Microsoft.DependencyInjection/ServiceCollectionExtensions.cs b/Apizr/Src/Apizr.Extensions.Microsoft.DependencyInjection/ServiceCollectionExtensions.cs
@@ -528,6 +528,11 @@ internal static Type AddApizrManagerFor(
                 managerOptions.BaseUriFactory?.Invoke(serviceProvider);
                 managerOptions.BaseAddressFactory?.Invoke(serviceProvider);
                 managerOptions.BasePathFactory?.Invoke(serviceProvider);
+
+                if (managerOptions.BasePath?.Contains("\r") == true ||
+                    managerOptions.BasePath?.Contains("\n") == true)
+                    throw new ArgumentException($"URL path {managerOptions.BasePath} must not contain CR or LF characters");
+
                 var baseAddress = managerOptions.BaseUri?.ToString() ?? managerOptions.BaseAddress;
                 if (Uri.TryCreate(UrlHelper.Combine(baseAddress, managerOptions.BasePath), UriKind.RelativeOrAbsolute, out var baseUri))
                 {

diff --git a/Apizr/Src/Apizr/ApizrBuilder.cs b/Apizr/Src/Apizr/ApizrBuilder.cs
@@ -372,13 +372,23 @@ private static IApizrManagerOptions CreateManagerOptions(IApizrCommonOptions com
             {
                 builder.ApizrOptions.BaseAddressFactory?.Invoke();
                 builder.ApizrOptions.BasePathFactory?.Invoke();
+
+                if(builder.ApizrOptions.BasePath?.Contains("\r") == true || 
+                    builder.ApizrOptions.BasePath?.Contains("\n") == true)
+                    throw new ArgumentException($"URL path {builder.ApizrOptions.BasePath} must not contain CR or LF characters");
+
                 if (Uri.TryCreate(UrlHelper.Combine(builder.ApizrOptions.BaseAddress, builder.ApizrOptions.BasePath), UriKind.RelativeOrAbsolute, out var baseUri))
                     builder.WithBaseAddress(baseUri);
             }
             else if (builder.ApizrOptions.BasePathFactory != null)
             {
                 builder.ApizrOptions.BaseUriFactory?.Invoke();
                 builder.ApizrOptions.BasePathFactory?.Invoke();
+
+                if (builder.ApizrOptions.BasePath?.Contains("\r") == true ||
+                    builder.ApizrOptions.BasePath?.Contains("\n") == true)
+                    throw new ArgumentException($"URL path {builder.ApizrOptions.BasePath} must not contain CR or LF characters");
+
                 if (Uri.TryCreate(UrlHelper.Combine(builder.ApizrOptions.BaseUri?.ToString(), builder.ApizrOptions.BasePath), UriKind.RelativeOrAbsolute, out var baseUri))
                     builder.WithBaseAddress(baseUri);
             }

diff --git a/Apizr/Src/Apizr/Extending/HttpRequestMessageExtensions.cs b/Apizr/Src/Apizr/Extending/HttpRequestMessageExtensions.cs
@@ -176,8 +176,9 @@ internal static bool TrySetHeader(this HttpHeaders headers, string key, string v
             if (value == null || removeOnly) 
                 return true;
 
-            // Remove redact stars (*) if any
-            var headerValue = value.StartsWith("*") && value.EndsWith("*") ? value.Trim('*') : value;
+            // Remove redact stars (*) if any & CRLF injection protection
+            key = EnsureSafe(key);
+            var headerValue = EnsureSafe(value.StartsWith("*") && value.EndsWith("*") ? value.Trim('*') : value);
 
             return headers.TryAddWithoutValidation(key, headerValue);
         }
@@ -202,9 +203,10 @@ internal static bool TrySetHeader(this HttpHeaders headers, string key, IEnumera
             if (values == null || removeOnly)
                 return true;
 
-            // Remove redact stars (*) if any
+            // Remove redact stars (*) if any & CRLF injection protection
+            key = EnsureSafe(key);
             var headerValues = values.Select(headerValue =>
-                    headerValue.StartsWith("*") && headerValue.EndsWith("*") ? headerValue.Trim('*') : headerValue)
+                EnsureSafe(headerValue.StartsWith("*") && headerValue.EndsWith("*") ? headerValue.Trim('*') : headerValue))
                 .ToList();
 
             return headers.TryAddWithoutValidation(key, headerValues);
@@ -226,5 +228,13 @@ internal static bool TryGetHeaderKeyValue(string header, out string key, out str
 
             return !string.IsNullOrWhiteSpace(key);
         }
+
+        internal static string EnsureSafe(string value)
+        {
+            // Remove CR and LF characters
+#pragma warning disable CA1307 // Specify StringComparison for clarity
+            return value.Replace("\r", string.Empty).Replace("\n", string.Empty);
+#pragma warning restore CA1307 // Specify StringComparison for clarity
+        }
     }
 }