23280721255

Committed 19 Mar 2026 05:05AM UTC coverage: 76.602% (+0.03%) from 76.571%

Build # 23280721255

Build Type

Pull #921

github

Committed by

web-flow

Commit Message

Merge bad6b0cae into 72a8f9b18

Pull Request Pull Request #921: fix: validate response headers before sending, prevent invalid transform input

Coverage Stats

4078 of 5788 branches covered (70.46%)

Branch coverage included in aggregate %.

55 of 57 new or added lines in 5 files covered. (96.49%)

2 existing lines in 1 file now uncovered.

26964 of 34736 relevant lines covered (77.63%)

186.13 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

95.24

/src/http/plugins/header-validator.ts

import { ERRORS } from '@internal/errors'
import { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify'
import fastifyPlugin from 'fastify-plugin'

/**
 * Matches invalid HTTP header characters per RFC 7230 field-vchar specification.
 * Valid: TAB (0x09), visible ASCII (0x20-0x7E), obs-text (0x80-0xFF).
 * Invalid: control characters (0x00-0x1F except TAB) and DEL (0x7F).
 * @see https://tools.ietf.org/html/rfc7230#section-3.2
 */
const INVALID_HEADER_CHAR_PATTERN = /[^\t\x20-\x7e\x80-\xff]/

/**
 * Validates response headers before they're sent to prevent ERR_INVALID_CHAR crashes.
 *
 * Node.js throws ERR_INVALID_CHAR during writeHead() if headers contain control characters.
 * This hook validates headers in onSend (before writeHead) and throws InvalidHeaderChar error
 */
export const headerValidator = fastifyPlugin(
  async function headerValidatorPlugin(fastify: FastifyInstance) {
    fastify.addHook('onSend', async (_request: FastifyRequest, reply: FastifyReply, payload) => {
      const headers = reply.getHeaders()

      for (const [key, value] of Object.entries(headers)) {
        if (typeof value === 'string' && INVALID_HEADER_CHAR_PATTERN.test(value)) {
          throw ERRORS.InvalidHeaderChar(key, value)
        }
      }

      return payload
    })
  },
  { name: 'header-validator' }
)

1	import { ERRORS } from '@internal/errors'	2✔
2	import { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify'	2✔
3	import fastifyPlugin from 'fastify-plugin'	2✔
4		2✔
5	/**	2✔
6	* Matches invalid HTTP header characters per RFC 7230 field-vchar specification.	2✔
7	* Valid: TAB (0x09), visible ASCII (0x20-0x7E), obs-text (0x80-0xFF).	2✔
8	* Invalid: control characters (0x00-0x1F except TAB) and DEL (0x7F).	2✔
9	* @see https://tools.ietf.org/html/rfc7230#section-3.2	2✔
10	*/	2✔
11	const INVALID_HEADER_CHAR_PATTERN = /[^\t\x20-\x7e\x80-\xff]/	2✔
12		2✔
13	/**	2✔
14	* Validates response headers before they're sent to prevent ERR_INVALID_CHAR crashes.	2✔
15	*	2✔
16	* Node.js throws ERR_INVALID_CHAR during writeHead() if headers contain control characters.	2✔
17	* This hook validates headers in onSend (before writeHead) and throws InvalidHeaderChar error	2✔
18	*/	2✔
19	export const headerValidator = fastifyPlugin(	2✔
20	async function headerValidatorPlugin(fastify: FastifyInstance) {	2✔
21	fastify.addHook('onSend', async (_request: FastifyRequest, reply: FastifyReply, payload) => {	266✔
22	const headers = reply.getHeaders()	286✔
23		286✔
24	for (const [key, value] of Object.entries(headers)) {	286✔
25	if (typeof value === 'string' && INVALID_HEADER_CHAR_PATTERN.test(value)) {	462✔
NEW 26	throw ERRORS.InvalidHeaderChar(key, value)	×
NEW 27	}	×
28	}	462✔
29		286✔
30	return payload	286✔
31	})	266✔
32	},	266✔
33	{ name: 'header-validator' }	2✔
34	)	2✔

supabase / storage / 23280721255

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous