Skip to content

Validate injected header values in DiagnosticsHandler #117884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 22, 2025
Merged

Validate injected header values in DiagnosticsHandler #117884

merged 2 commits into from
Jul 22, 2025

Conversation

@MihaZupan
Copy link
Member

@MihaZupan MihaZupan commented Jul 21, 2025

Fixes #116858

@MihaZupan MihaZupan added this to the 10.0.0 milestone Jul 21, 2025
@MihaZupan MihaZupan requested a review from a team July 21, 2025 14:18
@MihaZupan MihaZupan self-assigned this Jul 21, 2025
Copilot AI review requested due to automatic review settings July 21, 2025 14:18
Copilot AI reviewed Jul 21, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds validation for header values injected by the DiagnosticsHandler to prevent exceptions from malformed headers. The change ensures that invalid header names or values are properly validated and throw appropriate exceptions early in the request pipeline.

Key changes:

  • Enhanced header injection validation in DiagnosticsHandler to use validated header addition
  • Exposed internal HeaderDescriptor method for proper header validation
  • Added comprehensive test coverage for invalid header scenarios

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
DiagnosticsHandler.cs Modified header injection logic to validate headers using Add() instead of TryAddWithoutValidation()
HttpHeaders.cs Changed GetHeaderDescriptor method visibility from private to internal
DiagnosticsTests.cs Added test cases for invalid header name/value injection scenarios
Comments suppressed due to low confidence (1)

src/libraries/System.Net.Http/tests/FunctionalTests/DiagnosticsTests.cs:427

  • The TestAsync parameter appears to be undefined in this context. This should likely be 'testAsync' (lowercase) or the correct parameter name based on the test method signature.
                            Assert.DoesNotContain(tags, t => t.Key == "error.type");

@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jul 21, 2025

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

@MihaZupan MihaZupan enabled auto-merge (squash) July 21, 2025 15:46
This was referenced Jul 21, 2025
Open
Closed
Closed
@MihaZupan MihaZupan merged commit 822cb27 into dotnet:main Jul 22, 2025
81 of 87 checks passed
@build-analysis build-analysis bot mentioned this pull request Jul 22, 2025
Closed
@github-actions github-actions bot locked and limited conversation to collaborators Aug 22, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@ManickaP ManickaP ManickaP approved these changes

@rokonec rokonec rokonec approved these changes

Assignees

@MihaZupan MihaZupan

Labels

area-System.Net.Http

Projects

None yet

Milestone

10.0.0

Development

Successfully merging this pull request may close these issues.

DiagnosticsHandler is missing validation when injecting headers

3 participants

@MihaZupan @ManickaP @rokonec