* Strip CR, LF, and NUL bytes from a header value to prevent HTTP header * injection (CRLF injection) via env var values or hook-configured header * templates. A malicious env var like "token\r\nX-Evil: 1" would otherwise * inject a second header into the request.
(value: string)
| 74 | * inject a second header into the request. |
| 75 | */ |
| 76 | function sanitizeHeaderValue(value: string): string { |
| 77 | // eslint-disable-next-line no-control-regex |
| 78 | return value.replace(/[\r\n\x00]/g, '') |
| 79 | } |
| 80 | |
| 81 | /** |
| 82 | * Interpolate $VAR_NAME and ${VAR_NAME} patterns in a string using process.env, |
no outgoing calls
no test coverage detected