Address github security report (#3492)

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/RestfulResponse.java

@@ -33,7 +33,7 @@ public abstract class RestfulResponse<T extends RequestDetails> implements IRest
 
 	private IIdType myOperationResourceId;
 	private IPrimitiveType<Date> myOperationResourceLastUpdated;
-	private Map<String, List<String>> theHeaders = new HashMap<>();
+	private final Map<String, List<String>> myHeaders = new HashMap<>();
 	private T theRequestDetails;
 
 	public RestfulResponse(T requestDetails) {
@@ -51,7 +51,7 @@ public abstract class RestfulResponse<T extends RequestDetails> implements IRest
 	 */
 	@Override
 	public Map<String, List<String>> getHeaders() {
-		return theHeaders;
+		return myHeaders;
 	}
 
 	/**

hapi-fhir-server/src/main/java/ca/uhn/fhir/rest/server/servlet/ServletRestfulResponse.java

@@ -24,6 +24,7 @@ import ca.uhn.fhir.rest.api.Constants;
 import ca.uhn.fhir.rest.api.MethodOutcome;
 import ca.uhn.fhir.rest.api.server.ParseAction;
 import ca.uhn.fhir.rest.server.RestfulResponse;
+import org.apache.commons.lang3.StringUtils;
 import org.hl7.fhir.instance.model.api.IBaseBinary;
 
 import javax.servlet.ServletOutputStream;
@@ -80,9 +81,12 @@ public class ServletRestfulResponse extends RestfulResponse<ServletRequestDetail
 		HttpServletResponse theHttpResponse = getRequestDetails().getServletResponse();
 		getRequestDetails().getServer().addHeadersToResponse(theHttpResponse);
 		for (Entry<String, List<String>> header : getHeaders().entrySet()) {
-			final String key = header.getKey();
+			String key = header.getKey();
+			key = sanitizeHeaderField(key);
 			boolean first = true;
 			for (String value : header.getValue()) {
+				value = sanitizeHeaderField(value);
+
 				// existing headers should be overridden
 				if (first) {
 					theHttpResponse.setHeader(key, value);
@@ -94,6 +98,10 @@ public class ServletRestfulResponse extends RestfulResponse<ServletRequestDetail
 		}
 	}
 
+	static String sanitizeHeaderField(String theKey) {
+		return StringUtils.replaceChars(theKey, "\r\n", null);
+	}
+
 	@Override
 	public final Writer sendWriterResponse(int theStatus, String theContentType, String theCharset, Writer theWriter) {
 		return theWriter;

hapi-fhir-server/src/test/java/ca/uhn/fhir/rest/server/servlet/ServletRestfulResponseTest.java

@@ -13,6 +13,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
+import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
@@ -52,4 +53,12 @@ public class ServletRestfulResponseTest {
 		orderVerifier.verify(servletResponse).addHeader(eq("Authorization"), eq("Bearer"));
 		verify(servletResponse).setHeader(eq("Cache-Control"), eq("no-cache, no-store"));
 	}
+
+	@Test
+	public void testSanitizeHeaderField() {
+		assertEquals("AB", ServletRestfulResponse.sanitizeHeaderField("A\nB"));
+		assertEquals("AB", ServletRestfulResponse.sanitizeHeaderField("A\r\r\rB"));
+		assertEquals("AB", ServletRestfulResponse.sanitizeHeaderField("AB"));
+	}
+
 }