mirror of
https://github.com/oven-sh/bun
synced 2026-02-15 13:22:07 +00:00
f6d4ff6779
## Summary - Fixes HTTP response splitting vulnerability where `res.statusMessage` could contain CRLF characters that were written directly to the socket, allowing injection of arbitrary HTTP headers and response body - Adds native-layer validation in `NodeHTTPResponse.zig` `writeHead()` to reject status messages containing control characters (matching Node.js's `checkInvalidHeaderChar` behavior) - The `writeHead(code, msg)` API already validated via JS-side `checkInvalidHeaderChar`, but direct property assignment (`res.statusMessage = userInput`) followed by `res.end()` or `res.write()` bypassed all validation ## Test plan - [x] Verified vulnerability is reproducible: attacker can inject `Set-Cookie` headers via `res.statusMessage = "OK\r\nSet-Cookie: admin=true"` - [x] Verified fix throws `ERR_INVALID_CHAR` TypeError when CRLF is present in status message - [x] Added 4 new tests covering: property assignment + `res.end()`, property assignment + `res.write()`, explicit `writeHead()` rejection, and valid status message passthrough - [x] Tests fail with `USE_SYSTEM_BUN=1` (confirming they detect the vulnerability) and pass with `bun bd test` - [x] Existing Node.js compat test `test-http-status-reason-invalid-chars.js` still passes - [x] All 14 HTTP security tests pass - [x] Full `node-http.test.ts` suite passes (77 pass, 1 pre-existing skip, 1 pre-existing proxy failure) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Bot <claude-bot@bun.sh> Co-authored-by: Claude <noreply@anthropic.com>