Merge pull request from GHSA-f772-66g8-q5h3

Author: RafaelGSS

lib/core/request.js

@@ -297,7 +297,8 @@ function processHeader (request, key, val) {
   } else if (
     request.contentType === null &&
     key.length === 12 &&
-    key.toLowerCase() === 'content-type'
+    key.toLowerCase() === 'content-type' &&
+    headerCharRegex.exec(val) === null
   ) {
     request.contentType = val
     request.headers += `${key}: ${val}\r\n`

test/request-crlf.js

@@ -0,0 +1,32 @@
+'use strict'
+
+const { createServer } = require('http')
+const { test } = require('tap')
+const { request, errors } = require('..')
+
+test('should validate content-type CRLF Injection', (t) => {
+  t.plan(2)
+
+  const server = createServer((req, res) => {
+    t.fail('should not receive any request')
+    res.statusCode = 200
+    res.end('hello')
+  })
+
+  t.teardown(server.close.bind(server))
+
+  server.listen(0, async () => {
+    try {
+      await request(`http://localhost:${server.address().port}`, {
+        method: 'GET',
+        headers: {
+          'content-type': 'application/json\r\n\r\nGET /foo2 HTTP/1.1'
+        },
+      })
+      t.fail('request should fail')
+    } catch (e) {
+      t.type(e, errors.InvalidArgumentError)
+      t.equal(e.message, 'invalid content-type header')
+    }
+  })
+})