fix: enforce Content-Type singleton guard in response.set() object form#1982
fix: enforce Content-Type singleton guard in response.set() object form#1982JSap0914 wants to merge 1 commit into
Conversation
When ctx.set(field, val) is called with field as an object, the Content-Type singleton validation introduced in koajs#1899 was bypassed. Setting ctx.set({ 'Content-Type': ['text/html', 'text/plain'] }) silently wrote an array value for Content-Type, violating the HTTP spec and circumventing the existing assert. Apply the same Array.isArray guard in the object-form branch, checking each header key case-insensitively. Closes koajs#1973
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe PR extends the 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Reviewer's GuideEnforces the existing Content-Type singleton guard for response.set() when using the object form and adds tests to ensure case-insensitive behavior. File-Level Changes
Assessment against linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1982 +/- ##
=======================================
Coverage 99.90% 99.90%
=======================================
Files 9 9
Lines 2109 2114 +5
=======================================
+ Hits 2107 2112 +5
Misses 2 2 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Problem
PR #1899 added an assertion to prevent
Content-Typefrom being set to an array via the string form ofresponse.set():However, the same protection was missing in the object form:
Node.js allows
res.setHeaderto accept arrays, so this call succeeds and produces an invalid multi-valueContent-Typeheader, violating RFC 9110 (Content-Type is a singleton header).Fix
Apply the same
assert(!Array.isArray(val), …)check inside theelsebranch ofresponse.set(), keyed case-insensitively against each header name in the passed object.Testing
'Content-Type'and'content-type'(case-insensitive) key spellings in the object form.Closes #1973
Summary by Sourcery
Enforce Content-Type header singleton behavior when using the object form of response.set().
Bug Fixes:
Tests:
Summary by CodeRabbit
Tests
Bug Fixes