pixee · pixeebot-test · Jul 21, 2024
diff --git a/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java b/src/main/java/com/acme/headerinjection/HeaderInjectionVuln.java
@@ -1,5 +1,6 @@
 package com.acme.headerinjection;
 
+import io.github.pixee.security.Newlines;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.QueryParam;
@@ -11,7 +12,7 @@ public class HeaderInjectionVuln {
 
     @GET
     public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
-        response.setHeader("X-Last-Search", q);
+        response.setHeader("X-Last-Search", Newlines.stripAll(q));
         return "ok";
     }
 }
diff --git a/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java b/src/main/java/com/acme/headerinjection/HeaderInjectionVulnFixed.java
@@ -1,5 +1,6 @@
 package com.acme.headerinjection;
 
+import io.github.pixee.security.Newlines;
 import jakarta.ws.rs.GET;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.QueryParam;
@@ -11,7 +12,7 @@ public class HeaderInjectionVulnFixed {
 
     @GET
     public String lookupResource(HttpServletResponse response, @QueryParam("q") final String q) {
-        response.setHeader("X-Last-Search", stripNewlines(q));
+        response.setHeader("X-Last-Search", Newlines.stripAll(stripNewlines(q)));
         return "ok";
     }