Skip to content

fix: strip crlf correctly from multipart headers#10758

Merged
jasonsaayman merged 2 commits intov1.xfrom
fix/axi-199-crlf-injection-in-multipartform-data-body-via-unsanitized
Apr 19, 2026
Merged

fix: strip crlf correctly from multipart headers#10758
jasonsaayman merged 2 commits intov1.xfrom
fix/axi-199-crlf-injection-in-multipartform-data-body-via-unsanitized

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 19, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Sanitizes multipart headers by stripping CR and LF from Blob.type to prevent header injection in formDataToStream. Adds tests to confirm no injection, correct defaults, and stable Content-Length.

Description

  • Strip all CR/LF characters from Content-Type derived from Blob.type.
  • Keep valid media types intact; default to application/octet-stream when missing.
  • Ensure filenames in Content-Disposition are percent-encoded and safe.
  • Synced with v1.x; no functional changes.

Docs

  • Add a security note in /docs/ for formDataToStream stating:
    • Blob.type is sanitized to remove CR/LF.
    • Filenames in Content-Disposition are percent-encoded.
    • No API changes; behavior is transparent.

Testing

  • Added unit tests for:
    • Blocking CRLF header injection via Blob.type (incl. bare CR or LF).
    • Preserving legitimate Content-Type values.
    • Defaulting to application/octet-stream.
    • Safe filename handling in Content-Disposition.
    • Accurate Content-Length accounting.
  • No additional tests needed.

Semantic version impact

Patch release: security bug fix with no API changes.

Written for commit 59f848c. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 19, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix type::security The PR is a secuirty related changed normally from a CVE labels Apr 19, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@jasonsaayman jasonsaayman changed the title fix: strip crlf correctly fix: strip crlf correctly from multipart headers Apr 19, 2026
@jasonsaayman jasonsaayman merged commit 7587327 into v1.x Apr 19, 2026
25 checks passed
@jasonsaayman jasonsaayman deleted the fix/axi-199-crlf-injection-in-multipartform-data-body-via-unsanitized branch April 19, 2026 13:32
@github-actions github-actions Bot mentioned this pull request Apr 19, 2026
Open
@rtibblesbot rtibblesbot mentioned this pull request May 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman