andras/vault-link
1
0
Fork 0
Code Issues Pull requests 18 Projects Releases 55 Packages Wiki Activity Actions 1

Make header safe

Browse source
This commit is contained in:
Andras Schmelczer 2026-03-26 21:14:56 +00:00
parent 67d410b520
commit 3fe5f49050
1 changed files with 20 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

29
sync-server/src/server/device_id_header.rs
View file

@ -16,20 +16,31 @@ impl Header for DeviceIdHeader {
{ {
let value = values.next().ok_or_else(headers::Error::invalid)?; let value = values.next().ok_or_else(headers::Error::invalid)?;
Ok(DeviceIdHeader( let s = value.to_str().map_err(|_| headers::Error::invalid())?;
value
.to_str() if s.is_empty() || s.len() > 256 {
.map_err(|_| headers::Error::invalid())? return Err(headers::Error::invalid());
.to_owned(), }
))
// Only allow safe characters to prevent log injection and similar attacks.
// Covers UUIDs, user-agent strings like "vault-link/1.0 (12345; linux)",
// and human-readable device names.
if !s
.chars()
.all(|c| c.is_ascii_alphanumeric() || "-_./ ();:@+,".contains(c))
{
return Err(headers::Error::invalid());
}
Ok(DeviceIdHeader(s.to_owned()))
} }
fn encode<E>(&self, values: &mut E) fn encode<E>(&self, values: &mut E)
where where
E: Extend<HeaderValue>, E: Extend<HeaderValue>,
{ {
let value = HeaderValue::from_static(Box::leak(self.0.clone().into_boxed_str())); if let Ok(value) = HeaderValue::from_str(&self.0) {
values.extend(std::iter::once(value));
values.extend(std::iter::once(value)); }
} }
} }