24474844911

Committed 15 Apr 2026 07:46PM UTC coverage: 79.064% (-3.4%) from 82.473%

Build # 24474844911

Build Type

Pull #1024

github

Committed by

web-flow

Commit Message

Merge 084bba3bd into 2e9e38312

Pull Request Pull Request #1024: fix: use correct JSON Schema keyword in getSignedURLs response

Coverage Stats

3035 of 4026 branches covered (75.38%)

Branch coverage included in aggregate %.

1 of 1 new or added line in 1 file covered. (100.0%)

4301 existing lines in 99 files now uncovered.

30111 of 37897 relevant lines covered (79.45%)

311.78 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

75.41

/src/http/plugins/header-validator.ts

import { ERRORS } from '@internal/errors'
import { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify'
import fastifyPlugin from 'fastify-plugin'

/**
 * Matches invalid HTTP header characters per RFC 7230 field-vchar specification.
 * Valid: TAB (0x09), visible ASCII (0x20-0x7E), obs-text (0x80-0xFF).
 * Invalid: control characters (0x00-0x1F except TAB) and DEL (0x7F).
 * @see https://tools.ietf.org/html/rfc7230#section-3.2
 */
const INVALID_HEADER_CHAR_PATTERN = /[^\t\x20-\x7e\x80-\xff]/

interface HeaderValidatorOptions {
  excludeUrls?: string[]
}

/**
 * Validates response headers before they're sent to prevent ERR_INVALID_CHAR crashes.
 *
 * Node.js throws ERR_INVALID_CHAR during writeHead() if headers contain control characters.
 * This hook validates headers in onSend (before writeHead) and throws InvalidHeaderChar error
 */
export const headerValidator = (options: HeaderValidatorOptions = {}) =>
  fastifyPlugin(
    async function headerValidatorPlugin(fastify: FastifyInstance) {
      fastify.addHook('onSend', async (request: FastifyRequest, reply: FastifyReply, payload) => {
        if (options.excludeUrls?.includes(request.url.toLowerCase())) {
          return payload
        }

        const headers = reply.getHeaders()
        for (const key in headers) {
          if (!Object.prototype.hasOwnProperty.call(headers, key)) {
            continue
          }
          const value = headers[key]
          if (typeof value === 'string' && INVALID_HEADER_CHAR_PATTERN.test(value)) {
            throw ERRORS.InvalidHeaderChar(key, value)
          } else if (Array.isArray(value)) {
            for (const item of value) {
              if (typeof item === 'string' && INVALID_HEADER_CHAR_PATTERN.test(item)) {
                throw ERRORS.InvalidHeaderChar(key, item)
              }
            }
          }
        }

        return payload
      })
    },
    { name: 'header-validator' }
  )

1	import { ERRORS } from '@internal/errors'	1✔
2	import { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify'	1✔
3	import fastifyPlugin from 'fastify-plugin'	1✔
4		1✔
5	/**	1✔
6	* Matches invalid HTTP header characters per RFC 7230 field-vchar specification.	1✔
7	* Valid: TAB (0x09), visible ASCII (0x20-0x7E), obs-text (0x80-0xFF).	1✔
8	* Invalid: control characters (0x00-0x1F except TAB) and DEL (0x7F).	1✔
9	* @see https://tools.ietf.org/html/rfc7230#section-3.2	1✔
10	*/	1✔
11	const INVALID_HEADER_CHAR_PATTERN = /[^\t\x20-\x7e\x80-\xff]/	1✔
12		1✔
13	interface HeaderValidatorOptions {	1✔
14	excludeUrls?: string[]	1✔
15	}	1✔
16		1✔
17	/**	1✔
18	* Validates response headers before they're sent to prevent ERR_INVALID_CHAR crashes.	1✔
19	*	1✔
20	* Node.js throws ERR_INVALID_CHAR during writeHead() if headers contain control characters.	1✔
21	* This hook validates headers in onSend (before writeHead) and throws InvalidHeaderChar error	1✔
22	*/	1✔
23	export const headerValidator = (options: HeaderValidatorOptions = {}) =>	1✔
24	fastifyPlugin(	260✔
25	async function headerValidatorPlugin(fastify: FastifyInstance) {	260✔
26	fastify.addHook('onSend', async (request: FastifyRequest, reply: FastifyReply, payload) => {	260✔
27	if (options.excludeUrls?.includes(request.url.toLowerCase())) {	1,128!
28	return payload	×
UNCOV 29	}	×
30		1,128✔
31	const headers = reply.getHeaders()	1,128✔
32	for (const key in headers) {	1,128✔
33	if (!Object.prototype.hasOwnProperty.call(headers, key)) {	1,322!
34	continue	×
UNCOV 35	}	×
36	const value = headers[key]	1,322✔
37	if (typeof value === 'string' && INVALID_HEADER_CHAR_PATTERN.test(value)) {	1,322!
UNCOV 38	throw ERRORS.InvalidHeaderChar(key, value)	×
39	} else if (Array.isArray(value)) {	1,322!
UNCOV 40	for (const item of value) {	×
UNCOV 41	if (typeof item === 'string' && INVALID_HEADER_CHAR_PATTERN.test(item)) {	×
UNCOV 42	throw ERRORS.InvalidHeaderChar(key, item)	×
UNCOV 43	}	×
UNCOV 44	}	×
UNCOV 45	}	×
46	}	1,322✔
47		1,128✔
48	return payload	1,128✔
49	})	260✔
50	},	260✔
51	{ name: 'header-validator' }	260✔
52	)	1✔

supabase / storage / 24474844911

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous