bun.sh

mirrors/bun.sh

Fork 0

mirror of https://github.com/oven-sh/bun synced 2026-02-10 02:48:50 +00:00

Commit Graph

Author	SHA1	Message	Date
robobun	ee7608f7cf	feat: support overriding Host, Sec-WebSocket-Key, and Sec-WebSocket-Protocol headers in WebSocket client (#22545 ) ## Summary Adds support for overriding special WebSocket headers (`Host`, `Sec-WebSocket-Key`, and `Sec-WebSocket-Protocol`) via the headers option when creating a WebSocket connection. ## Changes - Modified `WebSocketUpgradeClient.zig` to check for and use user-provided special headers - Added header value validation to prevent CRLF injection attacks - Updated the NonUTF8Headers struct to automatically filter duplicate headers - When a custom `Sec-WebSocket-Protocol` header is provided, it properly updates the subprotocols list for validation ## Implementation Details The implementation adds minimal code by: 1. Using the existing `NonUTF8Headers` struct's methods to find valid header overrides 2. Automatically filtering out WebSocket-specific headers in the format method to prevent duplication 3. Maintaining a single, clean code path in `buildRequestBody()` ## Testing Added comprehensive tests in `websocket-custom-headers.test.ts` that verify: - Custom Host header support - Custom Sec-WebSocket-Key header support - Custom Sec-WebSocket-Protocol header support - Header override behavior when both protocols array and header are provided - CRLF injection prevention - Protection of system headers (Connection, Upgrade, etc.) - Support for additional custom headers All existing WebSocket tests continue to pass, ensuring backward compatibility. ## Security The implementation includes validation to: - Reject header values with control characters (preventing CRLF injection) - Prevent users from overriding critical system headers like Connection and Upgrade - Validate header values according to RFC 7230 specifications ## Use Cases This feature enables: - Testing WebSocket servers with specific header requirements - Connecting through proxies that require custom Host headers - Implementing custom WebSocket subprotocol negotiation - Debugging WebSocket connections with specific keys Fixes #[issue_number] --------- Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>	2025-09-11 19:36:01 -07:00

Author

SHA1

Message

Date

robobun

ee7608f7cf

feat: support overriding Host, Sec-WebSocket-Key, and Sec-WebSocket-Protocol headers in WebSocket client (#22545 )

## Summary

Adds support for overriding special WebSocket headers (`Host`,
`Sec-WebSocket-Key`, and `Sec-WebSocket-Protocol`) via the headers
option when creating a WebSocket connection.

## Changes

- Modified `WebSocketUpgradeClient.zig` to check for and use
user-provided special headers
- Added header value validation to prevent CRLF injection attacks
- Updated the NonUTF8Headers struct to automatically filter duplicate
headers
- When a custom `Sec-WebSocket-Protocol` header is provided, it properly
updates the subprotocols list for validation

## Implementation Details

The implementation adds minimal code by:
1. Using the existing `NonUTF8Headers` struct's methods to find valid
header overrides
2. Automatically filtering out WebSocket-specific headers in the format
method to prevent duplication
3. Maintaining a single, clean code path in `buildRequestBody()`

## Testing

Added comprehensive tests in `websocket-custom-headers.test.ts` that
verify:
- Custom Host header support
- Custom Sec-WebSocket-Key header support  
- Custom Sec-WebSocket-Protocol header support
- Header override behavior when both protocols array and header are
provided
- CRLF injection prevention
- Protection of system headers (Connection, Upgrade, etc.)
- Support for additional custom headers

All existing WebSocket tests continue to pass, ensuring backward
compatibility.

## Security

The implementation includes validation to:
- Reject header values with control characters (preventing CRLF
injection)
- Prevent users from overriding critical system headers like Connection
and Upgrade
- Validate header values according to RFC 7230 specifications

## Use Cases

This feature enables:
- Testing WebSocket servers with specific header requirements
- Connecting through proxies that require custom Host headers
- Implementing custom WebSocket subprotocol negotiation
- Debugging WebSocket connections with specific keys

Fixes #[issue_number]

---------

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

2025-09-11 19:36:01 -07:00

1 Commits