Merge pull request #1179 from Stirling-Tools/pixeebot/drip-2024-05-07-pixee-java/strip-http-header-newlines

Introduced protections against HTTP header injection / smuggling attacks
2024-09-20 20:00:39 +02:00 · 2024-05-07 19:14:29 +01:00 · 2024-05-07 03:44:03 +00:00
1 changed files with 3 additions and 2 deletions
--- a/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
+++ b/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
@ -1,5 +1,6 @@
 package stirling.software.SPDF.config.security;

+import io.github.pixee.security.Newlines;
 import java.io.IOException;
 import java.time.Duration;
 import java.util.Map;
@ -125,12 +126,12 @@ public class UserBasedRateLimitingFilter extends OncePerRequestFilter {
        ConsumptionProbe probe = userBucket.tryConsumeAndReturnRemaining(1);

        if (probe.isConsumed()) {
-            response.setHeader("X-Rate-Limit-Remaining", Long.toString(probe.getRemainingTokens()));
+            response.setHeader("X-Rate-Limit-Remaining", Newlines.stripAll(Long.toString(probe.getRemainingTokens())));
            filterChain.doFilter(request, response);
        } else {
            long waitForRefill = probe.getNanosToWaitForRefill() / 1_000_000_000;
            response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
-            response.setHeader("X-Rate-Limit-Retry-After-Seconds", String.valueOf(waitForRefill));
+            response.setHeader("X-Rate-Limit-Retry-After-Seconds", Newlines.stripAll(String.valueOf(waitForRefill)));
            response.getWriter().write("Rate limit exceeded for POST requests.");
        }
    }
Author	SHA1	Message	Date
Anthony Stirling	be5d5fdf04	Merge pull request #1179 from Stirling-Tools/pixeebot/drip-2024-05-07-pixee-java/strip-http-header-newlines Introduced protections against HTTP header injection / smuggling attacks	2024-05-07 19:14:29 +01:00
pixeebot[bot]	503acc9408	Introduced protections against HTTP header injection / smuggling attacks	2024-05-07 03:44:03 +00:00