18969331103

Committed 31 Oct 2025 10:08AM UTC coverage: 47.403% (+0.03%) from 47.376%

Build # 18969331103

Build Type

push

github

Committed by

web-flow

Commit Message

Add HTTP header validation to prevent injection (#2411)

Add ValidateHTTPHeaderName and ValidateHTTPHeaderValue functions to the
validation package to prevent CRLF injection and other header-based
attacks. These functions use golang.org/x/net/http/httpguts for RFC 7230
compliant validation, matching Go's own HTTP/2 implementation.

The validation checks for:
- CRLF injection attempts (\r\n)
- Control characters (null bytes, etc.)
- RFC 7230 token compliance for header names
- Length limits (256 bytes for names, 8KB for values)

Run Details

22 of 22 new or added lines in 1 file covered. (100.0%)

5 existing lines in 2 files now uncovered.

20652 of 43567 relevant lines covered (47.4%)

22.19 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

81.62

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 18969331103

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous