Introduced protections against HTTP header injection / smuggling attacks

Author: pixeebot[bot]

pom.xml

@@ -12,7 +12,8 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <sonar.host.url>https://sonarcloud.io</sonar.host.url>
     <sonar.organization>pixee</sonar.organization>
-  </properties>
+  <versions.java-security-toolkit>1.2.1</versions.java-security-toolkit>
+ </properties>
 
   <dependencyManagement>
     <dependencies>
@@ -31,7 +32,7 @@
       <dependency>
         <groupId>io.github.pixee</groupId>
         <artifactId>java-security-toolkit</artifactId>
-        <version>1.2.0</version>
+        <version>${versions.java-security-toolkit}</version>
       </dependency>
     </dependencies>
   </dependencyManagement>

src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java

@@ -1,5 +1,6 @@
 package com.acme.headerinjection;
 
+import io.github.pixee.security.Newlines;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.QueryParam;
@@ -11,7 +12,7 @@ public class HeaderInjectionVuln {
 
     @GET
     public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
-        response.setHeader("X-Last-Search", q);
+        response.setHeader("X-Last-Search", Newlines.stripAll(q));
         return "ok";
     }
 }

src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java

@@ -1,5 +1,6 @@
 package com.acme.headerinjection;
 
+import io.github.pixee.security.Newlines;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.QueryParam;
@@ -11,7 +12,7 @@ public class HeaderInjectionVulnFixed {
 
     @GET
     public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
-        response.setHeader("X-Last-Search", stripNewlines(q));
+        response.setHeader("X-Last-Search", Newlines.stripAll(stripNewlines(q)));
         return "ok";
     }