Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix CRLF injection in Content-Disposition header #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tomdesair wants to merge 2 commits into
base: master
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix CRLF injection in Content-Disposition header #94

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
49b1a9d
πŸ›‘οΈ Sentinel: [HIGH] Fix CRLF injection in Content-Disposition header
google-labs-jules[bot] Jun 19, 2026
6a856b2
πŸ›‘οΈ Sentinel: [HIGH] Fix CRLF injection in Content-Disposition header
google-labs-jules[bot] Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2026-06-19 - [Fix CRLF injection in Content-Disposition header]
**Vulnerability:** A CRLF injection vulnerability was present in `DownloadGetRequestHandler.java` where the unsanitized `info.getFileName()` was passed to `String.format` to form the `Content-Disposition` header. An attacker could craft a malicious filename containing carriage returns, line feeds, and double quotes to inject arbitrary HTTP headers in the response.
**Learning:** Legacy HTTP header fields that accept unencoded strings, like the `filename="..."` attribute in `Content-Disposition`, are a common vector for HTTP response splitting/CRLF injection.
**Prevention:** Always sanitize untrusted input when constructing HTTP headers, especially when not using a built-in framework that automatically sanitizes them. For filenames in `Content-Disposition`, strip out `\r`, `\n`, and `"` from the unencoded parameter, and ensure the `filename*=` parameter uses proper URL encoding (e.g., `URLEncoder.encode`).
2 changes: 1 addition & 1 deletion src/main/java/me/desair/tus/server/download/DownloadGetRequestHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public void process(
HttpHeader.CONTENT_DISPOSITION,
String.format(
CONTENT_DISPOSITION_FORMAT,
info.getFileName(),
info.getFileName().replaceAll("[\r\n\"]", ""),
URLEncoder.encode(info.getFileName(), StandardCharsets.UTF_8.toString())
.replace("+", "%20")));

Expand Down
67 changes: 67 additions & 0 deletions src/test/java/me/desair/tus/server/download/DownloadGetRequestHandlerSecurityTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
package me.desair.tus.server.download;

import static org.hamcrest.CoreMatchers.is;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

import java.util.Base64;
import me.desair.tus.server.HttpHeader;
import me.desair.tus.server.HttpMethod;
import me.desair.tus.server.upload.UploadId;
import me.desair.tus.server.upload.UploadInfo;
import me.desair.tus.server.upload.UploadStorageService;
import me.desair.tus.server.util.TusServletRequest;
import me.desair.tus.server.util.TusServletResponse;
import org.junit.Before;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

public class DownloadGetRequestHandlerSecurityTest {

private DownloadGetRequestHandler handler;
private MockHttpServletRequest servletRequest;
private MockHttpServletResponse servletResponse;
private TusServletRequest tusRequest;
private TusServletResponse tusResponse;
private UploadStorageService uploadStorageService;

@Before
public void setUp() {
handler = new DownloadGetRequestHandler();
servletRequest = new MockHttpServletRequest();
servletResponse = new MockHttpServletResponse();
tusRequest = new TusServletRequest(servletRequest);
tusResponse = new TusServletResponse(servletResponse);
uploadStorageService = mock(UploadStorageService.class);
}

@Test
public void testCrlfInjectionInFileName() throws Exception {
UploadInfo info = new UploadInfo();
info.setId(new UploadId("123"));
info.setLength(10L);
info.setOffset(10L); // finished
// filename: "test\r\nInjected: true.txt"
String maliciousFileName = "test\r\nInjected: true.txt\"";
String encodedMeta =
"filename " + Base64.getEncoder().encodeToString(maliciousFileName.getBytes());
info.setEncodedMetadata(encodedMeta);

when(uploadStorageService.getUploadInfo(anyString(), any())).thenReturn(info);

handler.process(HttpMethod.GET, tusRequest, tusResponse, uploadStorageService, null);

String contentDisposition = servletResponse.getHeader(HttpHeader.CONTENT_DISPOSITION);

// The filename parameter should not contain \r, \n, or "
assertThat(
contentDisposition,
is(
"attachment; filename=\"testInjected: true.txt\";"
+ " filename*=UTF-8''test%0D%0AInjected%3A%20true.txt%22"));
}
}
Loading