Browse Source
`format_sse_event()` interpolated the `event` and `id` fields into SSE wire-format bytes without stripping or rejecting newline characters. A `\n` or `\r\n` in either field injects an additional SSE field-line into the stream — enabling event-type spoofing and fabricated data payloads in browser EventSource clients. The `data` and `comment` fields were already protected via `splitlines()`; the omission for `event` and `id` was an inconsistency, not a design decision. The identical bug class was fixed in Hono (GHSA-p6xx-57qc-3wxr). Changes: - Add `_check_event_no_newline()` validator and apply it to `ServerSentEvent.event` via `AfterValidator` - Extend `_check_id_no_null()` to also reject `\n` and `\r` - Strip `\r`/`\n` in `format_sse_event()` for `event` and `id` as defense-in-depth (low-level function, bypasses model validators) - Add 7 regression tests covering LF/CR rejection in both the model and the low-level formatting function Severity: Medium (client-side injection; server unaffected) CWE: CWE-116 — Improper Encoding for Output in a Different Plaintext Context OWASP: A03:2021 — Injection Prior art: Hono GHSA-p6xx-57qc-3wxr (same class, same fix pattern)pull/15187/head
2 changed files with 70 additions and 4 deletions
Loading…
Reference in new issue