Validate request methods against a regex (#512)

n0npax · web-flow · commit abb2bb182fbd · 2021-04-29T17:50:54.000-07:00
Fixes #511
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 ## 0.13.3-dev
 
+* Validate that the `method` parameter of BaseRequest is a valid "token".
+
 ## 0.13.2
 
 * Add `package:http/retry.dart` with `RetryClient`. This is the same
diff --git a/lib/src/base_request.dart b/lib/src/base_request.dart
@@ -88,8 +88,17 @@ abstract class BaseRequest {
   bool get finalized => _finalized;
   bool _finalized = false;
 
-  BaseRequest(this.method, this.url)
-      : headers = LinkedHashMap(
+  static final _tokenRE = RegExp(r"^[\w!#%&'*+\-.^`|~]+$");
+  static String _validateMethod(String method) {
+    if (!_tokenRE.hasMatch(method)) {
+      throw ArgumentError.value(method, 'method', 'Not a valid method');
+    }
+    return method;
+  }
+
+  BaseRequest(String method, this.url)
+      : method = _validateMethod(method),
+        headers = LinkedHashMap(
             equals: (key1, key2) => key1.toLowerCase() == key2.toLowerCase(),
             hashCode: (key) => key.toLowerCase().hashCode);
 
diff --git a/test/request_test.dart b/test/request_test.dart
@@ -334,4 +334,10 @@ void main() {
       expect(request.toString(), 'POST $dummyUrl');
     });
   });
+
+  group('#method', () {
+    test('must be a token', () {
+      expect(() => http.Request('LLAMA[0]', dummyUrl), throwsArgumentError);
+    });
+  });
 }
diff --git a/test/streamed_request_test.dart b/test/streamed_request_test.dart
@@ -24,4 +24,10 @@ void main() {
       expect(() => request.contentLength = 10, throwsStateError);
     });
   });
+  group('#method', () {
+    test('must be a token', () {
+      expect(() => http.StreamedRequest('SUPER LLAMA', dummyUrl),
+          throwsArgumentError);
+    });
+  });
 }
