1. import re
  3. def sanitize_header(header_name, header_value):
  4. """
  5. Sanitizes a request header for sandbox usage.
  7. Args:
  8. header_name (str): The name of the header.
  9. header_value (str): The value of the header.
  11. Returns:
  12. tuple: A tuple containing the sanitized header name and value.
  13. Returns (None, None) if sanitization fails.
  14. """
  16. # Sanitize header names: remove invalid characters and limit length
  17. sanitized_name = re.sub(r'[^a-zA-Z0-9_-]', '', header_name)
  18. sanitized_name = sanitized_name[:64] # Limit header name length
  20. # Sanitize header values: remove potentially malicious characters
  21. sanitized_value = header_value.replace('\n', '').replace('\r', '').replace('\t', '')
  22. sanitized_value = re.sub(r'[<>;"\'\\/]', '', sanitized_value)
  23. sanitized_value = sanitized_value[:2048] # Limit header value length
  25. # Additional restrictions (example: no spaces)
  26. sanitized_value = sanitized_value.replace(' ', '')
  28. if not sanitized_name or not sanitized_value:
  29. return None, None # Return None, None if sanitization fails
  31. return sanitized_name, sanitized_value
  33. if __name__ == '__main__':
  34. # Example usage
  35. header_name = "User-Agent: My Very Malicious Header <script>alert('XSS')</script>"
  36. header_value = "Some data with newline\nand carriage return\r and tab\t"
  38. sanitized_name, sanitized_value = sanitize_header(header_name, header_value)
  40. if sanitized_name and sanitized_value:
  41. print(f"Sanitized Header Name: {sanitized_name}")
  42. print(f"Sanitized Header Value: {sanitized_value}")
  43. else:
  44. print("Sanitization failed.")

Add your comment