Merge pull request #11 from Pet3cy/relax-header-validation-16962389466518057682

🧹 Relax overly restrictive HTTP header name validation
This commit is contained in:
Pet3cy
2026-02-24 18:45:30 +01:00
committed by GitHub
2 changed files with 5 additions and 6 deletions

View File

@@ -214,13 +214,11 @@ valid123: value5`
expect(result).toEqual({
'valid-header': 'value1',
invalid_underscore: 'value3',
valid123: 'value5',
})
expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid header'))
expect(core.warning).toHaveBeenCalledWith(
expect.stringContaining('Skipping invalid header name: invalid_underscore'),
)
expect(core.warning).toHaveBeenCalledWith(expect.stringContaining('Skipping invalid header name: invalid@header'))
})

View File

@@ -121,9 +121,10 @@ function validateAndMaskHeaders(headers: Record<string, unknown>): Record<string
const sensitivePatterns = ['key', 'token', 'secret', 'password', 'authorization']
for (const [name, value] of Object.entries(headers)) {
// Validate header name (basic HTTP header name validation, RFC 7230: letters, digits, and hyphens)
if (!/^[A-Za-z0-9-]+$/.test(name)) {
core.warning(`Skipping invalid header name: ${name} (only alphanumeric characters and hyphens allowed)`)
// Validate header name (RFC 7230: token = 1*tchar)
// tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA
if (!/^[A-Za-z0-9!#$%&'*+\-.^_`|~]+$/.test(name)) {
core.warning(`Skipping invalid header name: ${name} (contains invalid characters)`)
continue
}