Security fixes (#2962)

* Fix possible desync caused by case-sensitive comparison for Transfer-Encoding header

* Add validation to prevent HTTP header injection attacks

Implement control character validation (CR, LF, NUL) in `HeaderField` setters to prevent HTTP header injection. Update constructors to use validated setters. Add comprehensive tests covering header value and name injection attempts.

* Add HEADER serialization to prevent HTTP header injection

Introduce `HEADER` serialization type that strips CR, LF, and NUL characters to prevent header injection attacks. Apply header encoding by default in `SetHeaderInterceptor` through `TemplateExchangeExpression`. Remove redundant error handling for IllegalArgumentException in `AbstractSetterInterceptor`.

* Rename HEADER serialization to HEADERVALUE and escape instead of strip control characters

Change `HEADER` to `HEADERVALUE` to better reflect its purpose for header values specifically. Update encoding behavior from stripping CR, LF, and NUL characters to escaping them as `\r`, `\n`, and `\0` respectively. Fix `isChunked()` to check all Transfer-Encoding values instead of only the first one.

* Refactor HeaderField to use centralized header value serialization

Move control character validation from `HeaderField` to `HEADERVALUE_SERIALIZATION` function for centralized header value encoding. Remove redundant `containsControlChar()` method and inline validation logic. Simplify `setValue()` to delegate sanitization to the serialization function.

* Reorder Serialization enum documentation to match declaration order

Move enum documentation entries to align with the declaration order in the code. Place JSON, XML, URL, TEXT, SEGMENT, and HEADERVALUE descriptions in sequence matching their enum definition.

* Change header injection tests from expecting exceptions to verifying escaped control characters

Update sanitization tests to verify that control characters (CR, LF, NUL) are escaped rather than rejected. Replace `assertThrows` assertions with `assertEquals` checks confirming values are sanitized with backslash escaping.

Author: t-burch

core/src/main/java/com/predic8/membrane/core/http/Header.java

@@ -318,7 +318,7 @@ public void setProxyAuthorization(String value) {
     }
 
     public boolean isChunked() {
-        return CHUNKED.equals(getFirstValue(TRANSFER_ENCODING));
+        return getSingleValues(TRANSFER_ENCODING).anyMatch(CHUNKED::equalsIgnoreCase);
     }
 
     public long getContentLength() {

core/src/main/java/com/predic8/membrane/core/http/HeaderField.java

@@ -15,21 +15,22 @@
 
 package com.predic8.membrane.core.http;
 
-import static com.predic8.membrane.annot.Constants.*;
+import static com.predic8.membrane.annot.Constants.CRLF;
+import static com.predic8.membrane.core.util.text.SerializationFunction.HEADERVALUE_SERIALIZATION;
 
 public class HeaderField {
 
 	private HeaderName headerName;
 	private String value;
 
 	public HeaderField(HeaderName headerName,String value) {
-		this.headerName = headerName;
-		this.value = value;
+		setHeaderName(headerName);
+		setValue(value);
 	}
 
 	public HeaderField(String line) {
-		headerName = new HeaderName(getName(line));
-		value = getValue(line);
+		setHeaderName(new HeaderName(getName(line)));
+		setValue(getValue(line));
 	}
 
 	private String getValue(String line) {
@@ -52,12 +53,14 @@ public HeaderField(HeaderField element) {
 	public String getValue() {
 		return value;
 	}
+
 	public void setValue(String value) {
-		this.value = value;
+		this.value = HEADERVALUE_SERIALIZATION.apply(value);
 	}
 	public HeaderName getHeaderName() {
 		return headerName;
 	}
+
 	public void setHeaderName(HeaderName headerName) {
 		this.headerName = headerName;
 	}
@@ -70,4 +73,4 @@ public String toString(){
 	public int estimateHeapSize() {
 		return 2*(4 + headerName.toString().length() + (value == null ? 0 : value.length()));
 	}
-}
+}

core/src/main/java/com/predic8/membrane/core/interceptor/lang/SetHeaderInterceptor.java

@@ -13,10 +13,12 @@
    limitations under the License. */
 package com.predic8.membrane.core.interceptor.lang;
 
-import com.predic8.membrane.annot.*;
-import com.predic8.membrane.core.exchange.*;
-import com.predic8.membrane.core.lang.*;
-import com.predic8.membrane.core.util.text.*;
+import com.predic8.membrane.annot.MCElement;
+import com.predic8.membrane.core.exchange.Exchange;
+import com.predic8.membrane.core.lang.ExchangeExpression;
+import com.predic8.membrane.core.lang.TemplateExchangeExpression;
+
+import static com.predic8.membrane.core.util.text.SerializationFunction.HEADERVALUE_SERIALIZATION;
 
 /**
  * @description Set HTTP header on the current message.
@@ -41,6 +43,11 @@ protected boolean shouldSetValue(Exchange exc, Flow flow) {
         return true;
     }
 
+    @Override
+    protected ExchangeExpression getExchangeExpression() {
+        return TemplateExchangeExpression.newInstance(this, language, expression, router, HEADERVALUE_SERIALIZATION);
+    }
+
     @Override
     protected void setValue(Exchange exc, Flow flow, Object value) {
         exc.getMessage(flow).getHeader().setValue(fieldName, value.toString());

core/src/main/java/com/predic8/membrane/core/util/text/SerializationFunction.java

@@ -30,5 +30,5 @@ public interface SerializationFunction extends Function<Object, String> {
     SerializationFunction TEXT_SERIALIZATION = ToTextSerializer::toText;
     SerializationFunction URL_SERIALIZATION = ToURLSerializer::toURL;
     SerializationFunction SEGMENT_SERIALIZATION = SerializationUtil::pathEncode;
-
+    SerializationFunction HEADERVALUE_SERIALIZATION = SerializationUtil::headerValueEncode;
 }

core/src/main/java/com/predic8/membrane/core/util/text/SerializationUtil.java

@@ -35,20 +35,22 @@ private SerializationUtil() {
      * <p/>
      * The strategies include:
      * <p/>
-     * - {@code URL}: Encodes strings for safe inclusion in a URL, replacing spaces and
-     * other special characters with their percent-encoded counterparts (e.g., SPACE -> +).
      * - {@code JSON}: Serializes s for safe inclusion in a JSON context.
      * - {@code XML}: Serializes for safe inclusion in an XML context using XML 1.1 rules.
-     * - {@code SEGMENT}: Encodes as safe URI path segments, ensuring they do not introduce
+     * - {@code URL}: Encodes strings for safe inclusion in a URL, replacing spaces and
+     * other special characters with their percent-encoded counterparts (e.g., SPACE -> +).
      * - {@code TEXT}: Serializes as plain text, without any encoding.
+     * - {@code SEGMENT}: Encodes as safe URI path segments, ensuring they do not introduce
      * path separators, query delimiters, or other unsafe characters, as per RFC 3986.
+     * - {@code HEADERVALUE}: Escapes CR, LF, and NUL to secure header values.
      */
     public enum Serialization {
+        JSON,
+        XML,
         TEXT,
         URL,
         SEGMENT,
-        JSON,
-        XML
+        HEADERVALUE
     }
 
     public static Optional<SerializationFunction> getSerialization(String mimeType) {
@@ -67,11 +69,12 @@ public static Optional<SerializationFunction> getSerialization(String mimeType)
 
     public static SerializationFunction getSerialization(Serialization serialization) {
         return switch (serialization) {
+            case JSON -> JSON_SERIALIZATION;
+            case XML -> XML_SERIALIZATION;
             case TEXT -> TEXT_SERIALIZATION;
             case URL -> URL_SERIALIZATION;
             case SEGMENT -> SEGMENT_SERIALIZATION;
-            case JSON -> JSON_SERIALIZATION;
-            case XML -> XML_SERIALIZATION;
+            case HEADERVALUE -> HEADERVALUE_SERIALIZATION;
         };
     }
 
@@ -135,4 +138,31 @@ public static String pathEncode(Object value) {
 
         return out.toString();
     }
+
+    /**
+     * Encodes the given value so it can be safely used as a header value
+     * by escaping characters that would enable HTTP header injection:
+     * CR becomes {@code \r}, LF becomes {@code \n}, and NUL becomes {@code \0}.
+     *
+     * @param value the value to encode; may be {@code null}
+     * @return a string with CR, LF, and NUL characters escaped; empty string if {@code value} is null
+     */
+    public static String headerValueEncode(Object value) {
+        if (value == null) return "";
+
+        String s = value.toString();
+        var out = new StringBuilder(s.length());
+
+        for (int i = 0; i < s.length(); i++) {
+            char c = s.charAt(i);
+            switch (c) {
+                case '\r' -> out.append("\\r");
+                case '\n' -> out.append("\\n");
+                case '\0' -> out.append("\\0");
+                default -> out.append(c);
+            }
+        }
+
+        return out.toString();
+    }
 }

core/src/test/java/com/predic8/membrane/core/http/HeaderTest.java

@@ -262,4 +262,29 @@ void unique() {
         assertEquals("1, 2", h.getValuesAsString("X-Foo"));
         assertEquals("3, 4", h.getValuesAsString("X-BAR"));
     }
+
+    @Test
+    void sanitization() {
+        Header h = new Header();
+
+        h.add("X-CRLF", "value\r\nInjected: evil");
+        h.add("X-CR", "value\rInjected: evil");
+        h.add("X-LF", "value\nInjected: evil");
+        h.add("X-NUL", "value\u0000Injected");
+        assertEquals("value\\r\\nInjected: evil", h.getFirstValue("X-CRLF"));
+        assertEquals("value\\rInjected: evil", h.getFirstValue("X-CR"));
+        assertEquals("value\\nInjected: evil", h.getFirstValue("X-LF"));
+        assertEquals("value\\0Injected", h.getFirstValue("X-NUL"));
+
+        h.add("X-Bar", "ok");
+        h.setValue("X-Bar", "evil\r\nInjected: x");
+        assertEquals("evil\\r\\nInjected: x", h.getFirstValue("X-Bar"));
+
+        HeaderField field = h.getAllHeaderFields()[0];
+        field.setValue("evil\r\nInjected: x");
+        assertEquals("evil\\r\\nInjected: x", field.getValue());
+
+        h.add("X-Normal", "regular value");
+        assertEquals("regular value", h.getFirstValue("X-Normal"));
+    }
 }

core/src/test/java/com/predic8/membrane/core/interceptor/lang/SetHeaderInterceptorSpELTest.java

@@ -147,6 +147,16 @@ void notIfAbsentCaseDiff() {
         assertEquals("42", getHeader("x-FoO"));
     }
 
+    @Test
+    @DisplayName("CR, LF, and NUL in interpolated values are escaped to prevent header injection")
+    void escapesControlCharsInInterpolation() {
+        exchange.setProperty("dirty", "evil\r\nInjected: yes\0end");
+        interceptor.setValue("${properties['dirty']}");
+        interceptor.init(router);
+        assertEquals(CONTINUE, interceptor.handleRequest(exchange));
+        assertEquals("evil\\r\\nInjected: yes\\0end", getHeader("x-bar"));
+    }
+
     @Test
     void failOnErrorTrue() {
         interceptor.setValue("42${wrong}");