mirrors/bun.sh
1
0
Fork 0
mirror of https://github.com/oven-sh/bun synced 2026-02-16 22:01:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e8a5f233853abb2f743e799f5bf875b943ba5e18
bun.sh/src
History
robobun e8a5f23385 fix(s3): reject CRLF characters in header values to prevent header injection (#26942) 
## Summary

- Fixes HTTP header injection vulnerability in S3 client where
user-controlled options (`contentDisposition`, `contentEncoding`,
`type`) were passed to HTTP headers without CRLF validation
- Adds input validation at the JS-to-Zig boundary in
`src/s3/credentials.zig` that throws a `TypeError` if `\r` or `\n`
characters are detected
- An attacker could previously inject arbitrary headers (e.g.
`X-Amz-Security-Token`) by embedding `\r\n` in these string fields

## Test plan

- [x] Added `test/regression/issue/s3-header-injection.test.ts` with 6
tests:
  - CRLF in `contentDisposition` throws
  - CRLF in `contentEncoding` throws
  - CRLF in `type` (content-type) throws
  - Lone CR in `contentDisposition` throws
  - Lone LF in `contentDisposition` throws
  - Valid `contentDisposition` without CRLF still works correctly
- [x] Tests fail with `USE_SYSTEM_BUN=1` (confirming vulnerability
exists in current release)
- [x] Tests pass with `bun bd test` (confirming fix works)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Bot <claude-bot@bun.sh>
Co-authored-by: Claude <noreply@anthropic.com>
2026-02-11 23:02:39 -08:00
..
allocators
Revert "Mimalloc v3 update (#26379)" (#26783)
2026-02-06 18:05:17 -08:00
analytics
api
feat(md): Zig markdown parser with Bun.markdown API (#26440)
2026-01-28 20:24:02 -08:00
ast
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
async
feat: add Bun.Terminal API for pseudo-terminal (PTY) support (#25415)
2025-12-15 12:51:13 -08:00
bake
fix(bake): queue pending HMR scripts for reuse (#19736) (#23995)
2026-02-10 01:53:07 -08:00
base64
bun.js
perf(path): use pre-built Structure for path.parse() result objects (#26865)
2026-02-10 22:32:08 -08:00
bundler
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
cli
fix(test): write JUnit reporter outfile when --bail triggers early exit (#26852)
2026-02-11 17:41:45 -08:00
codegen
Revert "fix(bindgen): prevent use-after-free for optional string argu… (#26742)
2026-02-04 19:38:12 -08:00
collections
fix(bundler): fix out-of-bounds access in DynamicBitSetUnmanaged.bytes() (#26283)
2026-01-19 22:45:56 -08:00
create
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
css
fix(css): preserve logical border-radius properties (#26006)
2026-01-14 13:34:31 -08:00
deps
perf(event_loop): avoid eventfd wakeup for setImmediate on POSIX (#26821)
2026-02-09 04:47:52 -08:00
errno
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
fs
glob
fix: handle DT_UNKNOWN in dir_iterator for bind-mounted filesystems (#25838)
2026-01-22 13:44:49 -08:00
http
fix(websocket): forward URL credentials as Authorization header (#26278)
2026-01-19 17:04:44 -08:00
init
fix(init): resolve TypeScript errors in react-tailwind template build.ts (#26258)
2026-01-19 17:12:42 -08:00
install
fix(install): show dependency name when file: path resolution fails (#26340)
2026-01-21 18:41:15 -08:00
interchange
feat: add native JSON5 parser (Bun.JSON5) (#26439)
2026-01-26 10:52:35 -08:00
io
Use edge-triggered epoll for eventfd wakeups (#26815)
2026-02-09 00:36:30 -08:00
js
fix(crypto): correct method and constructor names mangled by number renamer (#26876)
2026-02-10 23:06:22 -08:00
js_lexer
libarchive
fix(libarchive): use normalized path in mkdiratZ to prevent directory traversal (#26956)
2026-02-11 22:47:41 -08:00
md
fix ci (#26703)
2026-02-03 22:18:40 -08:00
meta
napi
fix(napi): return napi_function for AsyncContextFrame in napi_typeof (#26511)
2026-01-27 13:35:15 -08:00
node-fallbacks
ENG-21534: Satisfy aikido (#24880)
2025-11-24 20:16:03 -08:00
paths
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
ptr
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
resolver
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
s3
fix(s3): reject CRLF characters in header values to prevent header injection (#26942)
2026-02-11 23:02:39 -08:00
safety
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
semver
remove jsc.createCallback (#24910)
2025-11-20 20:56:02 -08:00
shell
fix(shell): use-after-free in runFromJS when setupIOBeforeRun fails (#26920)
2026-02-11 17:51:10 -08:00
sourcemap
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
sql
fix(sql): use constant-time comparison for SCRAM server signature (#26937)
2026-02-11 22:45:47 -08:00
string
fix(stringWidth): correct width for Thai/Lao spacing vowels (#26728)
2026-02-05 17:31:15 -08:00
sys
fix(bindings): handle errors from String.toJS() for oversized strings (#26213)
2026-01-21 13:01:25 -08:00
test
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
threading
perf: shrink ConcurrentTask from 24 bytes to 16 bytes (#25636)
2025-12-22 12:07:24 -08:00
unicode/uucode
feat(unicode): migrate grapheme breaking to uucode with GB9c support (#26376)
2026-01-23 00:07:06 -08:00
valkey
fix(bindings): handle errors from String.toJS() for oversized strings (#26213)
2026-01-21 13:01:25 -08:00
vm
Upgrade WebKit Dec 24, 2025 (#25684)
2025-12-25 14:00:58 -08:00
watcher
fix(fs.watch): emit 'change' events for files in watched directories on Linux (#26009)
2026-01-14 16:46:20 -08:00
windows
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
.clang-format
AGENTS.md
allocators.zig
fix(http2): fix settings, window size handling, and dynamic header buffer allocation (#26119)
2026-01-22 14:35:18 -08:00
analytics.zig
Add analytics tracking for CPU profiling and heap snapshots (#25053)
2025-11-26 00:02:43 -08:00
analyze_transpiled_module.zig
esm bytecode (#26402)
2026-01-30 01:38:45 -08:00
asan-config.c
misc tidyings from another branch (#24406)
2025-11-05 15:28:28 -08:00
asan.zig
ast.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
bake.bind.ts
bake.zig
feat(ENG-21362): Environment Variables Store (#23930)
2025-10-23 23:08:08 -07:00
bits.zig
boringssl.zig
Harden TLS hostname verification (#25727)
2026-01-05 10:21:49 -08:00
brotli.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
btjs.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
bun.exe.manifest
bun.ico
bun.js.zig
add --cpu-prof-interval flag (#26620)
2026-01-31 16:59:03 -08:00
bun.zig
feat(md): Zig markdown parser with Bun.markdown API (#26440)
2026-01-28 20:24:02 -08:00
bunfig.zig
feat(test): add --retry flag and emit separate testcase entries for retries in JUnit XML (#26866)
2026-02-10 10:58:21 -08:00
c-headers-for-zig.h
cache.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
ci_info.zig
Update ci_info with more CI detection (#23708)
2025-11-10 19:58:02 -08:00
CLAUDE.md
Update CLAUDE.md
2026-01-07 12:33:21 -08:00
cli.zig
feat(test): add --retry flag and emit separate testcase entries for retries in JUnit XML (#26866)
2026-02-10 10:58:21 -08:00
collections.zig
compile_target.zig
feat(windows): Add Windows ARM64 support (#26215)
2026-01-22 04:22:45 -08:00
comptime_string_map.zig
feat(ENG-21324): Implement hosted_git_info.zig (#24138)
2025-10-29 19:29:04 -07:00
ConfigVersion.zig
add "configVersion" to bun.lock(b) (#24236)
2025-11-03 22:20:07 -08:00
copy_file.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
crash_handler.zig
[publish images] Upgrade LLVM toolchain from 19.1.7 to 21.1.8 (#26667)
2026-02-02 23:12:21 -08:00
csrf.zig
remove jsc.createCallback (#24910)
2025-11-20 20:56:02 -08:00
darwin.zig
defines-table.zig
defines.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
deprecated.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
dir.zig
dns.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
env_loader.zig
fix(proxy): respect NO_PROXY for explicit proxy options in fetch and ws (#26608)
2026-01-30 16:20:45 -08:00
env_var.zig
fix(compile): apply BUN_OPTIONS env var to standalone executables (#26346)
2026-01-23 00:24:18 -08:00
env.zig
feat(windows): Add Windows ARM64 support (#26215)
2026-01-22 04:22:45 -08:00
fallback-backend.html
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
fallback.html
fallback.ts
favicon.png
fd.zig
fix(bindings): handle errors from String.toJS() for oversized strings (#26213)
2026-01-21 13:01:25 -08:00
feature_flags.zig
feat(ENG-21362): Environment Variables Store (#23930)
2025-10-23 23:08:08 -07:00
fixtures_example.com.html
fmt.bind.ts
fmt.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
fs.zig
Revert "feat(bundler): add configurable CJS→ESM unwrapping via unwrapCJSToESM"
2026-02-08 19:49:26 -08:00
generated_perf_trace_events.zig
feat: add native JSON5 parser (Bun.JSON5) (#26439)
2026-01-26 10:52:35 -08:00
glob.zig
Global.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
handle_oom.zig
heap_breakdown.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
highway.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
hmac.zig
HTMLScanner.zig
http.zig
fix(http): check socket state before operations in doRedirect (#26221)
2026-01-18 13:19:30 -08:00
identity_context.zig
import_record.zig
feat(bundler): add metafile support matching esbuild format (#25842)
2026-01-07 22:46:51 -08:00
ini.zig
fix: dupe ca string in .npmrc to prevent use-after-free (#25563)
2025-12-17 19:56:25 -08:00
interchange.zig
feat: add native JSON5 parser (Bun.JSON5) (#26439)
2026-01-26 10:52:35 -08:00
js_lexer_tables.zig
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
js_lexer.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
js_parser.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
js_printer.zig
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
jsc_stub.zig
linear_fifo.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
linker.lds
linker.zig
perf: pack boolean flags and reorder fields to reduce struct padding (#25627)
2025-12-21 17:12:42 -08:00
linux.zig
feat(ENG-21362): Environment Variables Store (#23930)
2025-10-23 23:08:08 -07:00
logger.zig
perf: pack boolean flags and reorder fields to reduce struct padding (#25627)
2025-12-21 17:12:42 -08:00
logo.svg
macho.zig
fix(macho): only update signature size on ARM64 with codesigning enabled (#26175)
2026-01-16 14:18:48 -08:00
main_test.zig
fix(compile): apply BUN_OPTIONS env var to standalone executables (#26346)
2026-01-23 00:24:18 -08:00
main_wasm.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
main.zig
fix(compile): apply BUN_OPTIONS env var to standalone executables (#26346)
2026-01-23 00:24:18 -08:00
memory.zig
Port SocketConfig to bindings generator (#23755)
2025-10-18 18:14:01 -07:00
meta.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
node_fallbacks.zig
open.zig
options.zig
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
output.zig
fix(windows): use GetConsoleCP() instead of GetConsoleOutputCP() for input codepage (#25252)
2025-11-30 23:11:33 -08:00
OutputFile.zig
esm bytecode (#26402)
2026-01-30 01:38:45 -08:00
patch.zig
fix(bindings): handle errors from String.toJS() for oversized strings (#26213)
2026-01-21 13:01:25 -08:00
paths.zig
pe.zig
fix(compile): use 8-byte header for embedded section to ensure bytecode alignment (#25377)
2025-12-06 16:37:09 -08:00
perf.zig
Add fake timers for bun:test (#23764)
2025-12-01 21:59:11 -08:00
pool.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
Progress.zig
Fix progress showing kb for downloading packages instead of count (#24700)
2025-11-13 19:29:16 -08:00
ptr.zig
renamer.zig
fix(bundler): rename named function expressions when shadowing outer symbol (#26027)
2026-01-14 12:52:41 -08:00
result.zig
router.zig
zig: fix missing uses of bun.callmod_inline (#24738)
2025-11-15 16:36:15 -08:00
runtime.bun.js
runtime.js
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
runtime.zig
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
safety.zig
semver.zig
sha.zig
SignalCode.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
StandaloneModuleGraph.zig
fix(compile): use remaining buffer in standalone POSIX write loop (#26882)
2026-02-10 23:04:46 -08:00
StaticHashMap.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
string.zig
fix(bindings): handle errors from String.toJS() for oversized strings (#26213)
2026-01-21 13:01:25 -08:00
symbols.def
symbols.dyn
feat: implement V8 Value type checking APIs (#22462)
2025-12-15 19:50:11 -08:00
symbols.txt
feat: implement V8 Value type checking APIs (#22462)
2025-12-15 19:50:11 -08:00
sys_uv.zig
fix(windows): chunk large buffers in preadv/pwritev to avoid integer overflow (#26303)
2026-01-20 12:47:07 -08:00
sys.zig
fix(compile): seek to start of file before EXDEV cross-device copy (#26883)
2026-02-10 22:32:31 -08:00
system_timer.zig
threading.zig
tmp.zig
tracy.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
trait.zig
transpiler.zig
feat(transpiler): implement TC39 standard ES decorators lowering (#26436)
2026-02-09 22:03:54 -08:00
tsconfig.json
unit_test.zig
url.zig
fix(http): support proxy passwords longer than 4096 characters (#25530)
2025-12-15 13:21:41 -08:00
util.zig
walker_skippable.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
Watcher.zig
fix(fs.watch): emit 'change' events for files in watched directories on Linux (#26009)
2026-01-14 16:46:20 -08:00
which_npm_client.zig
which.zig
windows-app-info.rc
feat(windows): Add Windows ARM64 support (#26215)
2026-01-22 04:22:45 -08:00
windows.zig
fix(windows): use GetConsoleCP() instead of GetConsoleOutputCP() for input codepage (#25252)
2025-11-30 23:11:33 -08:00
work_pool.zig
workaround_missing_symbols.zig
Update to zig 0.15.2 (#24204)
2025-11-10 14:38:26 -08:00
wyhash.zig
zlib.test.gz
zlib.test.txt
zlib.zig
fix: memory leaks in error-handling code for Brotli, Zstd, and Zlib compression state machines (#25592)
2025-12-18 21:42:14 -08:00