Bug: EmptyResponse.getheader input not sanitized

[ichliebepentest]

Bug Description

The input to the function is not sanitized, which may accept any user side input and lead to security breaches.

Steps to Reproduce

#!/usr/bin/env python3

from evo.common import EmptyResponse

payload = '<script>alert(1)</script>'
obj = EmptyResponse(status=404)
result = obj.getheader('key', payload)
print(f"Payload not sanitized: {result}")

Expected Behavior

The input should be sanitized to only allow certain characters

Actual Behavior

Accepts any characters

Environment

linux, latest evo-sdk

Screenshots/Logs

Acceptance Criteria

• input to header sanitized

Additional Context

[wordsworthc]

Thanks @ichliebepentest. I've discussed this one with the team and we've decided to close this issue as the concern you raise seems unrealistic for a few reasons:

• header values should always be treated as untrusted input
• the provided example has negligible impact on python code, and fails to demonstrate an actionable problem
• for all intents and purposes, the getheader() method is functionally equivalent to dict.get(), and so this behavior is as intended