downloader: limit headers sent to the client to some valid subset

fasthttp doesn't do complete filtering/escaping for us, thus filter here.
2021-04-29 23:46:38 +03:00 · 2021-04-29 23:46:38 +03:00 · 7a46917781
commit 7a46917781
parent 91c894cb8c
1 changed files with 25 additions and 0 deletions
--- a/downloader/download.go
+++ b/downloader/download.go
@ -63,6 +63,28 @@ func (d *detector) Write(data []byte) (int, error) {
 	return d.Writer.Write(data)
 }

+func isValidToken(s string) bool {
+	for _, c := range s {
+		if c <= ' ' || c > 127 {
+			return false
+		}
+		if strings.ContainsRune("()<>@,;:\\\"/[]?={}", c) {
+			return false
+		}
+	}
+	return true
+}
+
+func isValidValue(s string) bool {
+	for _, c := range s {
+		// HTTP specification allows for more technically, but we don't want to escape things.
+		if c < ' ' || c > 127 || c == '"' {
+			return false
+		}
+	}
+	return true
+}
+
 func (r *request) receiveFile(options *neofs.GetOptions) {
 	var (
 		err      error
@ -108,6 +130,9 @@ func (r *request) receiveFile(options *neofs.GetOptions) {
 	for _, attr := range obj.Attributes() {
 		key := attr.Key()
 		val := attr.Value()
+		if !isValidToken(key) || !isValidValue(val) {
+			continue
+		}
 		r.Response.Header.Set("x-"+key, val)
 		switch key {
 		case object.AttributeFileName: