fix: sanitize mime_type and filename to prevent HTTP header injection in resumable upload

Sanitize user-supplied mime_type and filename values before they are
interpolated into HTTP request headers in prepare_resumable_upload().

CR and LF characters in these values are stripped to prevent potential
HTTP header injection. Added a _sanitize_header_value() helper that
is applied to both the X-Goog-Upload-Header-Content-Type and
X-Goog-Upload-File-Name headers.

Author: uchia6861-tech

google/genai/_extra_utils.py

@@ -52,6 +52,11 @@
     McpClientSession = None
     McpTool = None
 
+def _sanitize_header_value(value: str) -> str:
+  """Strips CR and LF characters to prevent HTTP header injection."""
+  return value.replace('\r', '').replace('\n', '')
+
+
 _DEFAULT_MAX_REMOTE_CALLS_AFC = 10
 
 logger = logging.getLogger('google_genai.models')
@@ -659,7 +664,7 @@ def prepare_resumable_upload(
         'X-Goog-Upload-Protocol': 'resumable',
         'X-Goog-Upload-Command': 'start',
         'X-Goog-Upload-Header-Content-Length': f'{size_bytes}',
-        'X-Goog-Upload-Header-Content-Type': f'{mime_type}',
+        'X-Goog-Upload-Header-Content-Type': _sanitize_header_value(mime_type),
     }
   else:
     http_options = types.HttpOptions(
@@ -669,11 +674,11 @@ def prepare_resumable_upload(
             'X-Goog-Upload-Protocol': 'resumable',
             'X-Goog-Upload-Command': 'start',
             'X-Goog-Upload-Header-Content-Length': f'{size_bytes}',
-            'X-Goog-Upload-Header-Content-Type': f'{mime_type}',
+            'X-Goog-Upload-Header-Content-Type': _sanitize_header_value(mime_type),
         },
     )
   if isinstance(file, (str, os.PathLike)):
     if http_options.headers is None:
         http_options.headers = {}
-    http_options.headers['X-Goog-Upload-File-Name'] = os.path.basename(file)
+    http_options.headers['X-Goog-Upload-File-Name'] = _sanitize_header_value(os.path.basename(str(file)))
   return http_options, size_bytes, mime_type