supabase / storage / 27760253447

coverage: 60.005% (-18.2%) from 78.232%
27760253447

push

github

web-flow 
fix: limit for delete objects and sign urls (#1160)

Signed-off-by: ferhat elmas <elmas.ferhat@gmail.com>

3351 of 6375 branches covered (52.56%)

Branch coverage included in aggregate %.

25 of 31 new or added lines in 4 files covered. (80.65%)

2041 existing lines in 86 files now uncovered.

7151 of 11127 relevant lines covered (64.27%)

354.89 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

56.25
/src/http/plugins/header-validator.ts
1 
import { ERRORS } from '@internal/errors'
2 
import { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify'
3 
import fastifyPlugin from 'fastify-plugin'
4 









5



/**










6



 * Matches invalid HTTP header characters per RFC 7230 field-vchar specification.










7



 * Valid: TAB (0x09), visible ASCII (0x20-0x7E), obs-text (0x80-0xFF).










8



 * Invalid: control characters (0x00-0x1F except TAB) and DEL (0x7F).










9



 * @see https://tools.ietf.org/html/rfc7230#section-3.2










10



 */










11



const INVALID_HEADER_CHAR_PATTERN = /[^\t\x20-\x7e\x80-\xff]/




28





12












13



interface HeaderValidatorOptions {










14



  excludeUrls?: string[]










15



}










16












17



/**










18



 * Validates response headers before they're sent to prevent ERR_INVALID_CHAR crashes.










19



 *










20



 * Node.js throws ERR_INVALID_CHAR during writeHead() if headers contain control characters.










21



 * This hook validates headers in onSend (before writeHead) and throws InvalidHeaderChar error










22



 */










23



export const headerValidator = (options: HeaderValidatorOptions = {}) =>





286





24



  fastifyPlugin(










25



    async function headerValidatorPlugin(fastify: FastifyInstance) {










26



      fastify.addHook('onSend', async (request: FastifyRequest, reply: FastifyReply, payload) => {




286





27



        if (options.excludeUrls?.includes(request.url.toLowerCase())) {





1,292!





28



          return payload




×







29



        }










30












31



        const headers = reply.getHeaders()




1,292





32



        for (const key in headers) {




1,292





33



          if (!Object.prototype.hasOwnProperty.call(headers, key)) {





1,508!





34



            continue




×







35



          }










36



          const value = headers[key]




1,508





37



          if (typeof value === 'string' && INVALID_HEADER_CHAR_PATTERN.test(value)) {





1,508!






UNCOV

38



            throw ERRORS.InvalidHeaderChar(key, value)




×







39



          } else if (Array.isArray(value)) {





1,508!






UNCOV

40



            for (const item of value) {




×








UNCOV

41



              if (typeof item === 'string' && INVALID_HEADER_CHAR_PATTERN.test(item)) {





×








UNCOV

42



                throw ERRORS.InvalidHeaderChar(key, item)




×







43



              }










44



            }










45



          }










46



        }










47












48



        return payload




1,292





49



      })










50



    },










51



    { name: 'header-validator' }










52



  )
























    

  • 

    •