Skip to content

fix: update the implementation to rather parse out the values than throw#10687

Merged
jasonsaayman merged 3 commits intov1.xfrom
fix/update-header-injection-to-strip
Apr 11, 2026
Merged

fix: update the implementation to rather parse out the values than throw#10687
jasonsaayman merged 3 commits intov1.xfrom
fix/update-header-injection-to-strip

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 10, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Sanitizes request header values by stripping invalid bytes and trimming tabs/spaces instead of throwing, preventing header injection across browser and Node. Also hardens proxy bypass by treating localhost, 127.0.0.1, and ::1 as equivalent loopbacks in NO_PROXY matching.

Description

  • Replace validation with sanitization in AxiosHeaders; remove disallowed bytes, trim SP/HTAB, handle strings and arrays; no throws.
  • Prevent creation of new headers from injected content.
  • Harden shouldBypassProxy: treat localhost, 127.0.0.1, and ::1 as equivalent loopbacks in NO_PROXY matching.

Testing

  • Browser adapter: header '\tok\r\nInjected: yes ' becomes 'okInjected: yes'; no Injected header.
  • Node fetch and http adapters: echo servers confirm same sanitized value and no extra headers.
  • AxiosHeaders and shouldBypassProxy tests updated: expect sanitized string/array values; verify loopback equivalence across localhost/127.0.0.1/::1.

Written for commit 98799bf. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 10, 2026
@jasonsaayman jasonsaayman added commit::fix The PR is related to a bugfix priority::medium A medium priority labels Apr 10, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 10, 2026
View reviewed changes
Comment thread lib/core/AxiosHeaders.js Fixed
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@jasonsaayman jasonsaayman merged commit 163da72 into v1.x Apr 11, 2026
26 checks passed
@jasonsaayman jasonsaayman deleted the fix/update-header-injection-to-strip branch April 11, 2026 08:31
@github-actions github-actions Bot mentioned this pull request Apr 11, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jasonsaayman @github-advanced-security