new capacity bits (#67)

tests/fixtures/header_injection/python/safe_set_header.py

@@ -0,0 +1,15 @@
+# Safe: request arg routed through `strip_crlf` before being added to the
+# response headers.
+from flask import request, make_response
+
+
+def strip_crlf(raw):
+    return raw.replace("\r", "").replace("\n", "")
+
+
+def handler():
+    lang = request.args.get("lang")
+    safe = strip_crlf(lang)
+    resp = make_response("ok")
+    resp.headers.add("X-Lang", safe)
+    return resp

tests/fixtures/header_injection/python/safe_subscript_set.py

@@ -0,0 +1,15 @@
+# Safe: request arg routed through `strip_crlf` (a registered
+# HEADER_INJECTION sanitizer) before the subscript-set, so
+# taint-header-injection stays clean.
+from flask import request, make_response
+
+
+def strip_crlf(raw):
+    return raw.replace("\r", "").replace("\n", "")
+
+
+def handler():
+    lang = request.args.get("lang")
+    response = make_response("ok")
+    response.headers["X-Forwarded-By"] = strip_crlf(lang)
+    return response

tests/fixtures/header_injection/python/unsafe_set_header.py

@@ -0,0 +1,10 @@
+# Unsafe: Flask response.headers.add receives a value built from request
+# args.  HEADER_INJECTION fires on the value argument.
+from flask import request, make_response
+
+
+def handler():
+    lang = request.args.get("lang")
+    resp = make_response("ok")
+    resp.headers.add("X-Lang", lang)
+    return resp

tests/fixtures/header_injection/python/unsafe_subscript_set.py

@@ -0,0 +1,13 @@
+# Unsafe: tainted request value flows into the bare-subscript header set
+# `response.headers["X-Forwarded-By"] = lang`.  The LHS-subscript
+# classification path matches `response.headers` / `resp.headers` as a
+# HEADER_INJECTION sink so this form fires alongside the explicit
+# `headers.add` / `set_cookie` method-call shapes.
+from flask import request, make_response
+
+
+def handler():
+    lang = request.args.get("lang")
+    response = make_response("ok")
+    response.headers["X-Forwarded-By"] = lang
+    return response