From 503acc94086fb2db311b1327ea0bb42f5b97bd61 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Tue, 7 May 2024 03:44:03 +0000
Subject: [PATCH] Introduced protections against HTTP header injection /
 smuggling attacks

---
 .../SPDF/config/security/UserBasedRateLimitingFilter.java    | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java b/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
index 7b3b9b4e..89107697 100644
--- a/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
+++ b/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
@@ -1,5 +1,6 @@
 package stirling.software.SPDF.config.security;
 
+import io.github.pixee.security.Newlines;
 import java.io.IOException;
 import java.time.Duration;
 import java.util.Map;
@@ -125,12 +126,12 @@ public class UserBasedRateLimitingFilter extends OncePerRequestFilter {
         ConsumptionProbe probe = userBucket.tryConsumeAndReturnRemaining(1);
 
         if (probe.isConsumed()) {
-            response.setHeader("X-Rate-Limit-Remaining", Long.toString(probe.getRemainingTokens()));
+            response.setHeader("X-Rate-Limit-Remaining", Newlines.stripAll(Long.toString(probe.getRemainingTokens())));
             filterChain.doFilter(request, response);
         } else {
             long waitForRefill = probe.getNanosToWaitForRefill() / 1_000_000_000;
             response.setStatus(HttpStatus.TOO_MANY_REQUESTS.value());
-            response.setHeader("X-Rate-Limit-Retry-After-Seconds", String.valueOf(waitForRefill));
+            response.setHeader("X-Rate-Limit-Retry-After-Seconds", Newlines.stripAll(String.valueOf(waitForRefill)));
             response.getWriter().write("Rate limit exceeded for POST requests.");
         }
     }