fix: sanitize invalid custom protocol headers (#18927)

* fix: sanitize invalid custom protocol headers (#18854)

* lint fix

atom/browser/net/url_request_async_asar_job.cc

@@ -38,6 +38,20 @@ void BeforeStartInUI(base::WeakPtr<URLRequestAsyncAsarJob> job,
     error = net::ERR_NOT_IMPLEMENTED;
   }
 
+  // sanitize custom headers
+  if (request_options && request_options->is_dict()) {
+    const base::Value* headersDict = request_options->FindDictKey("headers");
+    if (headersDict) {
+      for (const auto& iter : headersDict->DictItems()) {
+        if (!iter.second.is_string()) {
+          args->ThrowError("Value of '" + iter.first +
+                           "' header has to be a string");
+          return;
+        }
+      }
+    }
+  }
+
   base::PostTaskWithTraits(
       FROM_HERE, {content::BrowserThread::IO},
       base::BindOnce(&URLRequestAsyncAsarJob::StartAsync, job,

spec/api-protocol-spec.js

@@ -342,6 +342,25 @@ describe('protocol module', () => {
       })
     })
 
+    it('throws an error when custom headers are invalid', (done) => {
+      const handler = (request, callback) => {
+        assert.throws(() => callback({
+          path: filePath,
+          headers: { 'X-Great-Header': 42 }
+        }), /Value of 'X-Great-Header' header has to be a string/)
+        done()
+      }
+      protocol.registerFileProtocol(protocolName, handler, (error) => {
+        if (error) return done(error)
+        $.ajax({
+          url: protocolName + '://fake-host',
+          cache: false,
+          success: () => done('request succeeded but it should not'),
+          error: (xhr, errorType, error) => done(error)
+        })
+      })
+    })
+
     it('sends object as response', (done) => {
       const handler = (request, callback) => callback({ path: filePath })
       protocol.registerFileProtocol(protocolName, handler, (error) => {