👕 fixed coderabbitai suggestions

anlowee · anlowee · commit f134870d3f07 · 2024-10-25T14:06:52.000Z
diff --git a/components/core/src/clp/CurlDownloadHandler.cpp b/components/core/src/clp/CurlDownloadHandler.cpp
@@ -4,6 +4,8 @@
 #include <cstddef>
 #include <map>
 #include <memory>
+#include <regex>
+#include <set>
 #include <string>
 #include <string_view>
 #include <utility>
@@ -58,9 +60,25 @@ CurlDownloadHandler::CurlDownloadHandler(
         m_http_headers.append("Cache-Control: no-cache");
         m_http_headers.append("Pragma: no-cache");
     }
+    static const std::set<std::string> reserved_headers = {
+        "range",
+        "cache-control",
+        "pragma"
+    };
     for (const auto& [key, value] : custom_headers) {
-        if ("Range" != key && "Cache-Control" != key && "Pragma" != key) {
-            m_http_headers.append(key + ": " + value);
+        // Convert to lowercase for case-insensitive comparison
+        std::string lower_key = key;
+        std::transform(lower_key.begin(), lower_key.end(), lower_key.begin(), ::tolower);
+        
+        if (reserved_headers.end() == reserved_headers.find(lower_key)) {
+            // Filter out illegal header names and header values by regex
+            // Can contain alphanumeric characters (A-Z, a-z, 0-9), hyphens (`-`), and underscores (`_`)
+            std::regex header_name_pattern("^[A-Za-z0-9_-]+$");
+            // Must consist of printable ASCII characters (values between 0x20 and 0x7E)
+            std::regex header_value_pattern("^[\\x20-\\x7E]*$");
+            if (std::regex_match(key, header_name_pattern) && std::regex_match(value, header_value_pattern)) {
+                m_http_headers.append(key + ": " + value);
+            }
         }
     }
     if (false == m_http_headers.is_empty()) {
diff --git a/components/core/src/clp/CurlDownloadHandler.hpp b/components/core/src/clp/CurlDownloadHandler.hpp
@@ -54,6 +54,7 @@ class CurlDownloadHandler {
      * Doc: https://curl.se/libcurl/c/CURLOPT_CONNECTTIMEOUT.html
      * @param overall_timeout Maximum time that the transfer may take. Note that this includes
      * `connection_timeout`. Doc: https://curl.se/libcurl/c/CURLOPT_TIMEOUT.html
+     * @param custom_headers Custom request headers passed by users.
      */
     explicit CurlDownloadHandler(
             std::shared_ptr<ErrorMsgBuf> error_msg_buf,
diff --git a/components/core/src/clp/NetworkReader.hpp b/components/core/src/clp/NetworkReader.hpp
@@ -95,6 +95,7 @@ class NetworkReader : public ReaderInterface {
      * Doc: https://curl.se/libcurl/c/CURLOPT_CONNECTTIMEOUT.html
      * @param buffer_pool_size The required number of buffers in the buffer pool.
      * @param buffer_size The size of each buffer in the buffer pool.
+     * @param custom_headers Custom request headers passed by users.
      */
     explicit NetworkReader(
             std::string_view src_url,
@@ -244,6 +245,7 @@ class NetworkReader : public ReaderInterface {
          * @param reader
          * @param offset Index of the byte at which to start the download.
          * @param disable_caching Whether to disable caching.
+         * @param custom_headers Custom request headers passed by users.
          */
         DownloaderThread(NetworkReader& reader, 
                         size_t offset, 
diff --git a/components/core/tests/test-NetworkReader.cpp b/components/core/tests/test-NetworkReader.cpp
@@ -2,6 +2,7 @@
 #include <cstddef>
 #include <cstdint>
 #include <filesystem>
+#include <map>
 #include <memory>
 #include <string>
 #include <string_view>
@@ -188,3 +189,54 @@ TEST_CASE("network_reader_illegal_offset", "[NetworkReader]") {
     size_t pos{};
     REQUIRE((clp::ErrorCode_Failure == reader.try_get_pos(pos)));
 }
+
+TEST_CASE("network_reader_with_custom_headers", "[NetworkReader]") {
+    std::map<std::string, std::string> custom_headers = std::map<std::string, std::string>();
+    // We use httpbin (https://httpbin.org/) to test the custom headers. This request will return a
+    // JSON object that contains the custom headers. We check if the headers are in the response.
+    const int NR_HEADERS = 10;
+    for (int i = 0; i < NR_HEADERS; i++) {
+      std::string key = "Unit-Test-Key" + std::to_string(i);
+      std::string value = "Unit-Test-Value" + std::to_string(i);
+      custom_headers[key] = value;
+    }
+    // The following three headers are determined by offset and disable_cache, which should not be
+    // overrided by custom headers.
+    custom_headers["Range"] = "bytes=100-";
+    custom_headers["Cache-Control"] = "no-cache";
+    custom_headers["Pragma"] = "no-cache";
+    // Some illegal custom header names and values, which should not be added into headers
+    custom_headers["A Space"] = "xx";
+    custom_headers["A\nNewline"] = "xx";
+    custom_headers["An@At"] = "xx";
+    custom_headers["-Start-with-Non-Alphanumeric"] = "xx";
+    custom_headers["Legal-Name1"] = "newline\n";
+    custom_headers["Legal-Name2"] = "control-char\x01"; 
+    clp::NetworkReader reader{
+        "https://httpbin.org/headers",
+        0,
+        false,
+        clp::CurlDownloadHandler::cDefaultOverallTimeout,
+        clp::CurlDownloadHandler::cDefaultConnectionTimeout,
+        clp::NetworkReader::cDefaultBufferPoolSize,
+        clp::NetworkReader::cDefaultBufferSize,
+        custom_headers
+    };
+    auto const actual{get_content(reader)};
+    std::string actual_string(actual.begin(), actual.end());
+    REQUIRE(assert_curl_error_code(CURLE_OK, reader));
+    for (int i = 0; i < NR_HEADERS; i++) {
+        std::string field = "\"Unit-Test-Key" + std::to_string(i) + "\": \"Unit-Test-Value" 
+                          + std::to_string(i) + "\"";
+        REQUIRE(std::string::npos != actual_string.find(field));
+    }
+    REQUIRE(std::string::npos == actual_string.find("Range: bytes=100-"));
+    REQUIRE(std::string::npos == actual_string.find("Cache-Control: no-cache"));
+    REQUIRE(std::string::npos == actual_string.find("Pragma: no-cache"));
+    REQUIRE(std::string::npos == actual_string.find("A Space:"));
+    REQUIRE(std::string::npos == actual_string.find("A\nNewline:"));
+    REQUIRE(std::string::npos == actual_string.find("An@At:"));
+    REQUIRE(std::string::npos == actual_string.find("-Start-with-Non-Alphanumeric:"));
+    REQUIRE(std::string::npos == actual_string.find("Legal-Name1:"));
+    REQUIRE(std::string::npos == actual_string.find("Legal-Name2:"));
+}
