Re: [PR] [fix] Potential fix for code scanning alert no. 22: HTTP response splitting [pulsar]

via GitHub Wed, 12 Feb 2025 22:23:41 -0800


github-advanced-security[bot] commented on code in PR #23976:
URL: https://github.com/apache/pulsar/pull/23976#discussion_r1953888391



##########
pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.java:
##########
@@ -271,7 +271,7 @@
             } else {
                 
checkState(request.getHeader(SASL_HEADER_STATE).equalsIgnoreCase(SASL_STATE_SERVER_CHECK_TOKEN));
                 setResponseHeaderState(response, SASL_STATE_COMPLETE);
-                response.setHeader(SASL_STATE_SERVER, 
request.getHeader(SASL_STATE_SERVER));
+                response.setHeader(SASL_STATE_SERVER, 
sanitizeHeaderValue(request.getHeader(SASL_STATE_SERVER)));

Review Comment:
   ## HTTP response splitting
   
   This header depends on a [user-provided value](1), which may cause a 
response-splitting vulnerability.
   
   [Show more 
details](https://github.com/apache/pulsar/security/code-scanning/151)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Re: [PR] [fix] Potential fix for code scanning alert no. 22: HTTP response splitting [pulsar]

Reply via email to