fix: sanitize newlines in SSE event and id fields

[eddieran]

Summary

Fixes #2579

The Emitter.emit(event, data, id) method writes the event and id parameters directly into the SSE stream without sanitizing newline characters. This allows an attacker who controls these fields to inject arbitrary SSE fields (e.g., injecting a fake data: line by embedding \ndata: malicious inside an event name or id).

The data parameter already handles newlines correctly by splitting into separate data: lines, and emit(comment) similarly splits on newlines. However, event and id were passed through unsanitized.

Fix

Strip \r and \n from event and id before writing them to the output stream. This is consistent with the SSE spec, which defines event and id fields as single-line values.

Test plan

• Verify that normal SSE event/id values pass through unchanged
• Verify that event or id values containing \n or \r have those characters stripped, preventing field injection

[tipsy]

augment review

[augmentcode]

🤖 Augment PR Summary

Summary: Sanitizes SSE event and id values by stripping CR/LF before writing them to the stream.
Why: Prevents newline-based SSE field injection when those values are attacker-controlled (fixes #2579).

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

javalin/src/main/java/io/javalin/http/sse/Emitter.kt:17 While CR/LF are stripped from event/id here, emit(comment: String) only splits on \n, so a comment containing \r could still terminate the line and inject additional SSE fields—worth double-checking if comment values can contain carriage returns.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

javalin/src/main/java/io/javalin/http/sse/Emitter.kt:18 This is a security-sensitive behavior change; there are SSE tests in javalin/src/test/java/io/javalin/TestSse.kt, but none that assert event/id newlines (\n/\r) are sanitized, so a regression could go unnoticed.

Severity: low

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.31%. Comparing base (e0f5458) to head (82194f5).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master    #2580   +/-   ##
=========================================
  Coverage     86.30%   86.31%           
- Complexity     1542     1545    +3     
=========================================
  Files           157      157           
  Lines          4439     4442    +3     
  Branches        540      542    +2     
=========================================
+ Hits           3831     3834    +3     
  Misses          374      374           
  Partials        234      234           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[tipsy]

Thanks @eddieran - could you add a test or two?

[eddieran]

Hi @tipsy — added two tests:

• event name with newline is stripped to prevent SSE injection — asserts that \\n in the event name is stripped (attacker can't close the event line and inject a data frame).
• event id with CR-LF is stripped to prevent SSE injection — asserts that \\r\\n in the id is stripped (attacker can't spoof an extra event: line after the id).

Also aligned the Emitter.emit signature with master (event: String?) so the nullable contract is preserved.