Add strict HTTP header validation to EvaluatorSettings

kyokuping · kyokuping · commit e8ea9f625878 · 2025-11-14T15:37:33.000+09:00
diff --git a/pkl-core/src/main/java/org/pkl/core/evaluatorSettings/PklEvaluatorSettings.java b/pkl-core/src/main/java/org/pkl/core/evaluatorSettings/PklEvaluatorSettings.java
@@ -167,13 +167,12 @@ public record Http(
             var pairs = entry.getValue();
             for (var pair : pairs) {
               if (!HEADER_NAME_REGEX.matcher(pair.getFirst()).matches()) {
-                throw new PklException(
-                  ErrorMessages.create("invalidHeaderName", pair.getFirst()));
+                throw new PklException(ErrorMessages.create("invalidHeaderName", pair.getFirst()));
               }
               if (!HEADER_VALUE_REGEX.matcher(pair.getSecond()).matches()) {
                 throw new PklException(
-                  ErrorMessages.create("invalidHeaderValue", pair.getSecond()));
-              } 
+                    ErrorMessages.create("invalidHeaderValue", pair.getSecond()));
+              }
             }
             try {
               parsedHeaders.put(new URI(uri), pairs);
diff --git a/stdlib/EvaluatorSettings.pkl b/stdlib/EvaluatorSettings.pkl
@@ -175,7 +175,7 @@ class Http {
   
   /// HTTP headers to add to outbound requests targeting specified URLs.
   @Since { version = "0.30.0" }
-  headers: Mapping<HttpPrefix, Listing<Pair<String, String>>>?
+  headers: Mapping<HttpPrefix, Mapping<HttpHeaderName, Listing<HttpHeaderValue>>>?
 }
 
 /// Settings that control how Pkl talks to HTTP proxies.
@@ -242,3 +242,55 @@ class ExternalReader {
   /// Additional command line arguments passed to the external reader process.
   arguments: Listing<String>?
 }
+
+typealias ReservedHttpHeaderName = 
+  "accept-charset"
+  | "accept-encoding"
+  | "access-control-request-headers"
+  | "access-control-request-method"
+  | "connection"
+  | "content-length"
+  | "cookie"
+  | "date"
+  | "dnt"
+  | "expect"
+  | "host"
+  | "keep-alive"
+  | "origin"
+  | "permissions-policy"
+  | "referer"
+  | "te"
+  | "trailer"
+  | "transfer-encoding"
+  | "upgrade"
+  | "via"
+
+const local ReservedHttpHeaderPrefix = new Listing {
+  "proxy-"
+  "sec-"
+  "access-control-"
+}
+
+const local hasReservedHttpHeaderPrefix = (header: String) ->
+  ReservedHttpHeaderPrefix.any((it) -> header.startsWith(it))
+ 
+const local httpHeaderNameRegex = Regex("^[a-zA-Z0-9!#\\$%&'*+-.^_`|~]+$")
+const local hasValidHttpHeaderName = (header: String) ->
+    httpHeaderNameRegex.findMatchesIn(header)
+
+@Since {version = "0.30.0" }
+typealias HttpHeaderName = String(
+  this == toLowerCase(),
+  !(this is ReservedHttpHeaderName),
+  !hasReservedHttpHeaderPrefix.apply(this),
+  hasValidHttpHeaderName
+)
+
+const local httpHeaderValueRegex = Regex("^[\\t\\u0020-\\u007E\\u0080-\\u00FF]*$")
+const local hasValidHttpHeaderValue = (value : String) ->
+    httpHeaderValueRegex.findMatchesIn(value)
+
+@Since {version = "0.30.0"}
+typealias HttpHeaderValue = String(
+  hasValidHttpHeaderValue
+)
