new capacity bits (#67)

tests/fixtures/header_injection/javascript/safe_set_header.js

@@ -0,0 +1,14 @@
+// Safe: req.query.lang routed through the project-local `stripCRLF` helper
+// before being written to the response header.
+function stripCRLF(raw) {
+    return raw.replace(/[\r\n]/g, '');
+}
+
+function handler(req, res) {
+    const lang = req.query.lang;
+    const safe = stripCRLF(lang);
+    res.setHeader('X-Lang', safe);
+    res.end();
+}
+
+module.exports = handler;

tests/fixtures/header_injection/javascript/safe_subscript_set.js

@@ -0,0 +1,14 @@
+// Safe: req.query.lang routed through the project-local `stripCRLF` helper
+// (a registered HEADER_INJECTION sanitizer) before the subscript-set, so
+// taint-header-injection stays clean.
+function stripCRLF(raw) {
+    return raw.replace(/[\r\n]/g, '');
+}
+
+function handler(req, res) {
+    const lang = req.query.lang;
+    res.headers["X-Forwarded-By"] = stripCRLF(lang);
+    res.end();
+}
+
+module.exports = handler;

tests/fixtures/header_injection/javascript/unsafe_set_header.js

@@ -0,0 +1,9 @@
+// Unsafe: Express `res.setHeader` receives a value built from req.query.
+// HEADER_INJECTION fires on the value argument.
+function handler(req, res) {
+    const lang = req.query.lang;
+    res.setHeader('X-Lang', lang);
+    res.end();
+}
+
+module.exports = handler;

tests/fixtures/header_injection/javascript/unsafe_subscript_set.js

@@ -0,0 +1,11 @@
+// Unsafe: tainted req.query value flows into the bare-subscript header set
+// `res.headers["X-Forwarded-By"] = lang`.  The LHS-subscript classification
+// path matches `res.headers` as a HEADER_INJECTION sink so this form fires
+// alongside the explicit `setHeader` / `res.set` method-call shapes.
+function handler(req, res) {
+    const lang = req.query.lang;
+    res.headers["X-Forwarded-By"] = lang;
+    res.end();
+}
+
+module.exports = handler;