fix: validate header before returning them (#717)

fenos · web-flow · commit 9b06abc3e65c · 2025-07-03T17:51:25.000+02:00
diff --git a/src/storage/protocols/s3/s3-handler.ts b/src/storage/protocols/s3/s3-handler.ts
@@ -1239,14 +1239,35 @@ export class S3ProtocolHandler {
   }
 }
 
+const MAX_HEADER_NAME_LENGTH = 1024 * 8 // 8KB, per RFC7230 §3.2.6
+const MAX_HEADER_VALUE_LENGTH = 1024 * 8 // 8KB, per RFC7230 §3.2.4
+
+// Allowed header‐name chars per RFC7230 §3.2.6 “token”
+// (note that the backtick ` is escaped)
+const HEADER_NAME_RE = /^[!#$%&'*+\-.\^_`|~0-9A-Za-z]+$/
+
+// Allowed header‐value chars per RFC7230 §3.2.4
+// (horizontal tab, space–tilde, and 0x80–0xFF)
+const HEADER_VALUE_RE = /^[\t\x20-\x7e\x80-\xff]+$/
+
+export function isValidHeader(name: string, value: string | string[]): boolean {
+  if (Buffer.from(name).byteLength < MAX_HEADER_NAME_LENGTH && !HEADER_NAME_RE.test(name)) {
+    return false
+  }
+  const values = Array.isArray(value) ? value : [value]
+  return values.every(
+    (v) => Buffer.from(v).byteLength <= MAX_HEADER_VALUE_LENGTH && HEADER_VALUE_RE.test(v)
+  )
+}
+
 function toAwsMeatadataHeaders(records: Record<string, any>) {
   const metadataHeaders: Record<string, any> = {}
   let missingCount = 0
 
   if (records) {
     Object.keys(records).forEach((key) => {
       const value = records[key]
-      if (value && isUSASCII(value)) {
+      if (value && isUSASCII(value) && isValidHeader(key, value)) {
         metadataHeaders['x-amz-meta-' + key.toLowerCase()] = value
       } else {
         missingCount++
diff --git a/src/test/s3-protocol.test.ts b/src/test/s3-protocol.test.ts
@@ -55,14 +55,21 @@ async function createBucket(client: S3Client, name?: string, publicRead = true)
   return bucketName
 }
 
-async function uploadFile(client: S3Client, bucketName: string, key: string, mb: number) {
+async function uploadFile(
+  client: S3Client,
+  bucketName: string,
+  key: string,
+  mb: number,
+  headers?: Record<string, any>
+) {
   const uploader = new Upload({
     client: client,
     params: {
       Bucket: bucketName,
       Key: key,
       ContentType: 'image/jpg',
       Body: Buffer.alloc(1024 * mb),
+      Metadata: headers,
     },
   })
 
@@ -175,6 +182,7 @@ describe('S3 Protocol', () => {
         expect(resp.$metadata.httpStatusCode).toBe(200)
         expect(resp.BucketRegion).toBe(storageS3Region)
       })
+
       it('will return bucket not found error', async () => {
         const headBucketRequest = new HeadBucketCommand({
           Bucket: 'dont-exist-bucket',
@@ -1399,6 +1407,24 @@ describe('S3 Protocol', () => {
         expect(resp.status).toBe(400)
       })
 
+      it('doesnt crash when invalid headers returned', async () => {
+        const bucket = await createBucket(client)
+        const key = 'test-1.jpg'
+        await uploadFile(client, bucket, key, 2, {
+          'invalid-header-r': Buffer.alloc(1024 * 9, 'a').toString(),
+        })
+
+        const headObj = new HeadObjectCommand({
+          Bucket: bucket,
+          Key: key,
+        })
+
+        const r = await client.send(headObj)
+
+        expect(r.$metadata.httpStatusCode).toBe(200)
+        expect(r.MissingMeta).toBe(1)
+      })
+
       it('can upload with presigned URL', async () => {
         const bucket = await createBucket(client)
         const key = 'test-1.jpg'
