From 3fe5f49050cba919cec10214b34c46c5ab2d7d9a Mon Sep 17 00:00:00 2001
From: Andras Schmelczer <andras@schmelczer.dev>
Date: Thu, 26 Mar 2026 21:14:56 +0000
Subject: [PATCH] Make header safe

---
 sync-server/src/server/device_id_header.rs | 29 +++++++++++++++-------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/sync-server/src/server/device_id_header.rs b/sync-server/src/server/device_id_header.rs
index af9d6413..13bd17a8 100644
--- a/sync-server/src/server/device_id_header.rs
+++ b/sync-server/src/server/device_id_header.rs
@@ -16,20 +16,31 @@ impl Header for DeviceIdHeader {
     {
         let value = values.next().ok_or_else(headers::Error::invalid)?;
 
-        Ok(DeviceIdHeader(
-            value
-                .to_str()
-                .map_err(|_| headers::Error::invalid())?
-                .to_owned(),
-        ))
+        let s = value.to_str().map_err(|_| headers::Error::invalid())?;
+
+        if s.is_empty() || s.len() > 256 {
+            return Err(headers::Error::invalid());
+        }
+
+        // Only allow safe characters to prevent log injection and similar attacks.
+        // Covers UUIDs, user-agent strings like "vault-link/1.0 (12345; linux)",
+        // and human-readable device names.
+        if !s
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || "-_./ ();:@+,".contains(c))
+        {
+            return Err(headers::Error::invalid());
+        }
+
+        Ok(DeviceIdHeader(s.to_owned()))
     }
 
     fn encode<E>(&self, values: &mut E)
     where
         E: Extend<HeaderValue>,
     {
-        let value = HeaderValue::from_static(Box::leak(self.0.clone().into_boxed_str()));
-
-        values.extend(std::iter::once(value));
+        if let Ok(value) = HeaderValue::from_str(&self.0) {
+            values.extend(std::iter::once(value));
+        }
     }
 }