bun.sh

mirror of https://github.com/oven-sh/bun synced 2026-02-15 21:32:05 +00:00

Files

robobun e8a5f23385 fix(s3): reject CRLF characters in header values to prevent header injection (#26942 )

## Summary

- Fixes HTTP header injection vulnerability in S3 client where
user-controlled options (`contentDisposition`, `contentEncoding`,
`type`) were passed to HTTP headers without CRLF validation
- Adds input validation at the JS-to-Zig boundary in
`src/s3/credentials.zig` that throws a `TypeError` if `\r` or `\n`
characters are detected
- An attacker could previously inject arbitrary headers (e.g.
`X-Amz-Security-Token`) by embedding `\r\n` in these string fields

## Test plan

- [x] Added `test/regression/issue/s3-header-injection.test.ts` with 6
tests:
  - CRLF in `contentDisposition` throws
  - CRLF in `contentEncoding` throws
  - CRLF in `type` (content-type) throws
  - Lone CR in `contentDisposition` throws
  - Lone LF in `contentDisposition` throws
  - Valid `contentDisposition` without CRLF still works correctly
- [x] Tests fail with `USE_SYSTEM_BUN=1` (confirming vulnerability
exists in current release)
- [x] Tests pass with `bun bd test` (confirming fix works)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>

2026-02-11 23:02:39 -08:00

fixtures

Fix request.url having incorrect port

2023-10-16 15:14:15 -07:00

issue

fix(s3): reject CRLF characters in header values to prevent header injection (#26942 )

2026-02-11 23:02:39 -08:00

brotli-reset-leak.test.ts

fix: memory leaks in error-handling code for Brotli, Zstd, and Zlib compression state machines (#25592 )

2025-12-18 21:42:14 -08:00

issue23966.test.ts

Fix Buffer.isEncoding('') to return false (#23968 )

2025-10-22 16:15:29 -07:00