(headers: Record<string, string>)
| 37 | * are responsible for mapping to their own error types. |
| 38 | */ |
| 39 | export function validateCustomHeaders(headers: Record<string, string>): void { |
| 40 | if (!headers || typeof headers !== 'object') { |
| 41 | throw new Error('Invalid headers: expected an object') |
| 42 | } |
| 43 | |
| 44 | const entries = Object.entries(headers) |
| 45 | if (entries.length > MAX_HEADERS) { |
| 46 | throw new Error(`Invalid headers: too many entries (max ${MAX_HEADERS})`) |
| 47 | } |
| 48 | |
| 49 | for (const [key, value] of entries) { |
| 50 | if (typeof key !== 'string' || key.length === 0) { |
| 51 | throw new Error('Invalid header: key must be a non-empty string') |
| 52 | } |
| 53 | if (key.length > MAX_KEY_LENGTH) { |
| 54 | throw new Error(`Invalid header "${key}": key exceeds ${MAX_KEY_LENGTH} chars`) |
| 55 | } |
| 56 | if (!RFC7230_TOKEN.test(key)) { |
| 57 | throw new Error(`Invalid header "${key}": key contains illegal characters`) |
| 58 | } |
| 59 | |
| 60 | const lower = key.toLowerCase() |
| 61 | if (DENIED_HEADER_NAMES.has(lower) || DENIED_HEADER_PREFIXES.some((p) => lower.startsWith(p))) { |
| 62 | throw new Error(`Invalid header "${key}": this header name is not allowed`) |
| 63 | } |
| 64 | |
| 65 | if (typeof value !== 'string') { |
| 66 | throw new Error(`Invalid header "${key}": value must be a string`) |
| 67 | } |
| 68 | if (value.length > MAX_VALUE_LENGTH) { |
| 69 | throw new Error(`Invalid header "${key}": value exceeds ${MAX_VALUE_LENGTH} chars`) |
| 70 | } |
| 71 | for (let i = 0; i < value.length; i++) { |
| 72 | const code = value.charCodeAt(i) |
| 73 | if (code === 0x0d || code === 0x0a || (code < 0x20 && code !== 0x09)) { |
| 74 | throw new Error(`Invalid header "${key}": value contains illegal control characters`) |
| 75 | } |
| 76 | } |
| 77 | } |
| 78 | } |
| 79 | |
| 80 | /** |
| 81 | * Returns a copy of `headers` with credential-bearing entries (Authorization, Cookie, X-Api-Key, …) |
no test coverage detected