Hopiu/lychee
1
0
Fork 0
mirror of https://github.com/Hopiu/lychee.git synced 2026-05-01 02:14:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Don't echo potentially sensitive header data (#1728)

Browse source 
* Don't echo potentially sensitive header data
* Still show header name, for more user-friendliness
This commit is contained in:
Thomas Zahner 2025-06-12 17:08:15 +02:00 committed by GitHub
parent 469ccd0089
commit b46cb5c02e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 23 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
lychee-bin/src/options.rs
View file

@ -212,19 +212,24 @@ macro_rules! fold_in {
///
/// If the header contains multiple colons, the part after the first colon is
/// considered the value.
///
/// # Errors
///
/// This fails if the header does not contain exactly one `:` character or
/// if the header name contains non-ASCII characters.
fn parse_single_header(header: &str) -> Result<(HeaderName, HeaderValue)> {
let parts: Vec<&str> = header.splitn(2, ':').collect();
match parts.as_slice() {
[name, value] => {
let name = HeaderName::from_bytes(name.trim().as_bytes())
.map_err(|e| anyhow!("Invalid header name '{}': {}", name.trim(), e))?;
let value = HeaderValue::from_str(value.trim())
.map_err(|e| anyhow!("Invalid header value '{}': {}", value.trim(), e))?;
let name = HeaderName::from_str(name.trim())
.map_err(|e| anyhow!("Unable to convert header name '{}': {}", name.trim(), e))?;
let value = HeaderValue::from_str(value.trim()).map_err(|e| {
anyhow!("Unable to read value of header with name '{}': {}", name, e)
})?;
Ok((name, value))
}
_ => Err(anyhow!(
"Invalid header format. Expected colon-separated string in the format 'HeaderName: HeaderValue', got '{}'",
header
"Invalid header format. Expected colon-separated string in the format 'HeaderName: HeaderValue'"
)),
}
}
@ -870,6 +875,18 @@ mod tests {
);
}
#[test]
/// We should not reveal potentially sensitive data contained in the headers.
/// See: [#1297](https://github.com/lycheeverse/lychee/issues/1297)
fn test_does_not_echo_sensitive_data() {
let error = parse_single_header("My-Header💣: secret")
.expect_err("Should not allow unicode as key");
assert!(!error.to_string().contains("secret"));
let error = parse_single_header("secret").expect_err("Should fail when no `:` given");
assert!(!error.to_string().contains("secret"));
}
#[test]
fn test_header_parsing_and_merging() {
// Simulate commandline arguments with multiple headers