• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

tomdesair / tus-java-server / 28939045472
95%

Build:
DEFAULT BRANCH: master
Ran 08 Jul 2026 11:29AM UTC
Jobs 1
Files 92
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

08 Jul 2026 11:27AM UTC coverage: 94.787% (-0.03%) from 94.813%
28939045472

push

github

web-flow
🛡️ Sentinel: [HIGH] Fix global CRLF injection in HTTP headers (#107)

* 🛡️ Sentinel: [HIGH] Fix global CRLF injection in HTTP headers

This commit introduces a robust, global defense against HTTP Response Splitting and CRLF Injection vulnerabilities.

Instead of patching individual endpoints and headers (such as Content-Disposition or Upload-Metadata) as they arise, `TusServletResponse.java` has been modified to intrinsically sanitize all outgoing header values by stripping carriage return (`\r`) and line feed (`\n`) characters before they are passed to the underlying HttpServletResponse wrapper.

The specialized `DownloadGetRequestHandlerCRLFTest.java` was removed and replaced with a broader `TusServletResponseCRLFTest.java` that covers `setHeader` and `addHeader` methods.
Additionally, `DownloadGetRequestHandler.java` was simplified slightly since the `TusServletResponse` now uniformly handles CRLF removal.

Co-authored-by: tomdesair <14034630+tomdesair@users.noreply.github.com>

* 🛡️ Sentinel: [HIGH] Fix global CRLF injection in HTTP headers

This commit introduces a robust, global defense against HTTP Response Splitting and CRLF Injection vulnerabilities.

Instead of patching individual endpoints and headers (such as Content-Disposition or Upload-Metadata) as they arise, `TusServletResponse.java` has been modified to intrinsically sanitize all outgoing header values by stripping carriage return (`\r`) and line feed (`\n`) characters before they are passed to the underlying HttpServletResponse wrapper.

The specialized `DownloadGetRequestHandlerCRLFTest.java` was removed and replaced with a broader `TusServletResponseCRLFTest.java` that covers `setHeader` and `addHeader` methods.
Additionally, `DownloadGetRequestHandler.java` was simplified slightly since the `TusServletResponse` now uniformly handles CRLF removal.

Co-authored-by: tomdesair <14034630+tomdesair@users.noreply.github.com>

---------

Co-authored-by: google-labs-jules[bot] <161369871+... (continued)

644 of 730 branches covered (88.22%)

Branch coverage included in aggregate %.

10 of 11 new or added lines in 2 files covered. (90.91%)

1847 of 1898 relevant lines covered (97.31%)

6.6 hits per line

Uncovered Changes

Lines Coverage ∆ File
1
95.12
-4.88% src/main/java/me/desair/tus/server/util/TusServletResponse.java
Jobs
ID Job ID Ran Files Coverage
1 28939045472.1 08 Jul 2026 11:29AM UTC 184
83.68
GitHub Action Run
Source Files on build 28939045472
  • Tree
  • List 92
  • Changed 47
  • Source Changed 2
  • Coverage Changed 47
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #28939045472
  • e32c2e5b on github
  • Prev Build on master (#28847039012)
  • Next Build on master (#29044436517)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc