validate header syntax

Author: kyokuping

pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/commands/BaseOptions.kt

@@ -33,6 +33,7 @@ import org.pkl.commons.cli.CliException
 import org.pkl.commons.shlex
 import org.pkl.core.Pair as PPair
 import org.pkl.core.evaluatorSettings.Color
+import org.pkl.core.evaluatorSettings.PklEvaluatorSettings
 import org.pkl.core.evaluatorSettings.PklEvaluatorSettings.ExternalReader
 import org.pkl.core.runtime.VmUtils
 import org.pkl.core.util.IoUtils
@@ -293,11 +294,19 @@ class BaseOptions : OptionGroup() {
         try {
           val uri = URI(uriStr.trim())
 
+          val headerRegex = Regex("""^(.+?):[ \t]*(.+)$""")
           val headerPairs =
             headers.split(',').map { header ->
-              val headerParts = header.split(":", limit = 2)
-              require(headerParts.size == 2) { "Header '$header' is not in 'name:value' format. " }
-              PPair(headerParts[0], headerParts[1])
+              val (headerName, headerValue) =
+                headerRegex.find(header)?.destructured
+                  ?: fail("Header '$header' is not in 'name:value' format.")
+              require(PklEvaluatorSettings.HEADER_NAME_REGEX.matcher(headerName).matches()) {
+                "HTTP header name '$headerName' has invalid syntax."
+              }
+              require(PklEvaluatorSettings.HEADER_VALUE_REGEX.matcher(headerValue).matches()) {
+                "HTTP header value '$headerValue' has invalid syntax"
+              }
+              PPair(headerName, headerValue)
             }
           uri to headerPairs
         } catch (e: IllegalArgumentException) {

pkl-core/src/main/java/org/pkl/core/evaluatorSettings/PklEvaluatorSettings.java

@@ -53,6 +53,10 @@ public record PklEvaluatorSettings(
     @Nullable Map<String, ExternalReader> externalModuleReaders,
     @Nullable Map<String, ExternalReader> externalResourceReaders) {
 
+  public static final Pattern HEADER_NAME_REGEX = Pattern.compile("^[a-zA-Z0-9!#$%&'*+-.^_`|~]+$");
+  public static final Pattern HEADER_VALUE_REGEX =
+      Pattern.compile("^[\\t\\u0020-\\u007E\\u0080-\\u00FF]*$");
+
   /** Initializes a {@link PklEvaluatorSettings} from a raw object representation. */
   @SuppressWarnings("unchecked")
   public static PklEvaluatorSettings parse(
@@ -156,10 +160,20 @@ public record Http(
           parsedHeaders = new HashMap<>();
           var headersMap = (Map<String, List<Pair<String, String>>>) headers;
           for (var entry : headersMap.entrySet()) {
-            var key = entry.getKey();
-            var value = entry.getValue();
+            var uri = entry.getKey();
+            var pairs = entry.getValue();
+            for (var pair : pairs) {
+              if (!HEADER_NAME_REGEX.matcher(pair.getFirst()).matches()) {
+                throw new PklException(
+                  ErrorMessages.create("invalidHeaderName", pair.getFirst()));
+              }
+              if (!HEADER_VALUE_REGEX.matcher(pair.getSecond()).matches()) {
+                throw new PklException(
+                  ErrorMessages.create("invalidHeaderValue", pair.getSecond()));
+              } 
+            }
             try {
-              parsedHeaders.put(new URI(key), value);
+              parsedHeaders.put(new URI(uri), pairs);
             } catch (URISyntaxException e) {
               throw new PklException(ErrorMessages.create("invalidUri", e.getInput()));
             }

pkl-core/src/main/resources/org/pkl/core/errorMessages.properties

@@ -1070,3 +1070,9 @@ invalidStringBase64=\
 
 characterCodingException=\
 Invalid bytes for charset "{0}".
+
+invalidHeaderName=\
+HTTP header name `{0}` has invalid syntax.
+
+invalidHeaderValue=\
+HTTP header value `{0}` has invalid syntax.