Skip to content

security: mitigate cross-origin credential leaks, prevent CRLF header injection, and disable XML DTD processing#2170

Open
insaf021 wants to merge 2 commits into
googleapis:mainfrom
insaf021:security/harden-http-security-credential-crlf-xxe
Open

security: mitigate cross-origin credential leaks, prevent CRLF header injection, and disable XML DTD processing#2170
insaf021 wants to merge 2 commits into
googleapis:mainfrom
insaf021:security/harden-http-security-credential-crlf-xxe

Conversation

@insaf021

@insaf021 insaf021 commented Jul 4, 2026

Copy link
Copy Markdown

This PR implements security hardening improvements in the google-http-java-client library to strengthen credential handling across redirects, improve HTTP header validation, and harden XML parsing.

When handling redirects, the original request origin is recorded and compared against the redirected request. If a redirect targets a different origin (scheme, host, or port), sensitive headers such as Authorization and Cookie are removed after execution interceptors run, preventing credentials from being forwarded to cross-origin destinations while preserving existing behavior for same-origin redirects. Unit tests have been added to verify both same-origin and cross-origin redirect behavior.

This PR also adds validation in HttpHeaders#addHeader to reject header names and serialized header values containing carriage return (\r) or line feed (\n) characters by throwing an IllegalArgumentException. Corresponding tests verify that invalid headers are rejected while valid headers continue to serialize correctly.

Additionally, Xml#createParser() now disables DTD processing using XmlPullParser.FEATURE_PROCESS_DOCDECL where supported by the parser implementation, with a graceful fallback for implementations that do not support the feature. Tests have been added to verify that XML documents containing DTD declarations do not process external entities while maintaining normal XML parsing behavior.

The implementation has been validated by running the relevant unit tests. HttpRequestTest, HttpHeadersTest, and XmlTest all pass successfully, with no test failures or errors.

@insaf021 insaf021 requested a review from a team as a code owner July 4, 2026 05:38
@product-auto-label product-auto-label Bot added the size: l Pull request size is large. label Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size: l Pull request size is large.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant