Add headers validation check to prevent crash (facebook#55749)

vzaidman · meta-codesync[bot] · commit 4ff1d2e7c428 · 2026-02-26T11:20:08.000-08:00
Summary: Pull Request resolved: facebook#55749 Add defensive checks when processing custom headers to ensure: 1. Header keys are valid NSString instances before using them 2. Header values are successfully converted before adding to the request This prevents potential crashes when invalid header data (non-string keys or values that fail conversion) is passed from JavaScript to the WebSocket module. Changelog: [Internal] Differential Revision: D94375533
diff --git a/packages/react-native/React/CoreModules/RCTWebSocketModule.mm b/packages/react-native/React/CoreModules/RCTWebSocketModule.mm
@@ -96,8 +96,38 @@ - (void)invalidate
   // Load supplied headers
   if ([options.headers() isKindOfClass:NSDictionary.class]) {
     NSDictionary *headers = (NSDictionary *)options.headers();
-    [headers enumerateKeysAndObjectsUsingBlock:^(NSString *key, id value, BOOL *stop) {
-      [request addValue:[RCTConvert NSString:value] forHTTPHeaderField:key];
+    [headers enumerateKeysAndObjectsUsingBlock:^(id key, id value, BOOL *stop) {
+      BOOL validKey = [key isKindOfClass:[NSString class]];
+      BOOL validValue = [value isKindOfClass:[NSString class]];
+
+      if (!validKey && !validValue) {
+        RCTLogError(
+            @"RCTWebSocketModule: Invalid header key and value types. "
+             "Expected NSString for both, got key of type %@ and value of type %@.",
+            NSStringFromClass([key class]),
+            NSStringFromClass([value class]));
+        return;
+      }
+
+      if (!validKey) {
+        RCTLogError(
+            @"RCTWebSocketModule: Invalid header key type for value '%@'. "
+             "Expected NSString, got %@.",
+            value,
+            NSStringFromClass([key class]));
+        return;
+      }
+
+      if (!validValue) {
+        RCTLogError(
+            @"RCTWebSocketModule: Invalid header value type for key '%@'. "
+             "Expected NSString, got %@.",
+            key,
+            NSStringFromClass([value class]));
+      }
+
+      NSString *headerValue = validValue ? [RCTConvert NSString:value] : @"";
+      [request addValue:headerValue forHTTPHeaderField:key];
     }];
   }
 
