+add validation of header keys and new testcases

smolo-de · smolo-de · commit cbbfeb08e03d · 2025-10-24T13:45:06.000+02:00
~ change testcases to inlinedata
diff --git a/src/Serilog.Sinks.Grafana.Loki/HttpClients/BaseLokiHttpClient.cs b/src/Serilog.Sinks.Grafana.Loki/HttpClients/BaseLokiHttpClient.cs
@@ -33,7 +33,12 @@ public abstract class BaseLokiHttpClient : ILokiHttpClient
     /// <summary>
     /// Regex for Tenant ID validation.
     /// </summary>
-    private static readonly Regex TenantIdValueRegex = new Regex(@"^(?!.*\.\.)(?!\.$)[a-zA-Z0-9!._*'()\-\u005F]*$");
+    private static readonly Regex TenantIdValueRegex = new Regex(@"^(?!.*\.\.)(?!\.$)[a-zA-Z0-9!._*'()\-\u005F]*$", RegexOptions.Compiled);
+
+    /// <summary>
+    /// RFC7230 token characters: letters, digits and these symbols: ! # $ % & ' * + - . ^ _ ` | ~
+    /// </summary>
+    private static readonly Regex HeaderKeyRegEx = new Regex(@"^[A-Za-z0-9!#$%&'*+\-\.\^_`|~]+$", RegexOptions.Compiled);
 
     /// <summary>
     /// Initializes a new instance of the <see cref="BaseLokiHttpClient"/> class.
@@ -98,14 +103,34 @@ public virtual void SetTenant(string? tenant)
     /// <param name="defaultHeaders">A dictionary of headers to set as default.</param>
     public virtual void SetDefaultHeaders(IDictionary<string, string> defaultHeaders)
     {
+
         if (defaultHeaders == null)
         {
             throw new ArgumentNullException(nameof(defaultHeaders), "Default headers cannot be null.");
         }
 
         foreach (var header in defaultHeaders)
         {
-            // Check if the header already exists before adding
+            if (string.IsNullOrWhiteSpace(header.Key))
+            {
+                throw new ArgumentException("Header name cannot be null, empty, or whitespace.", nameof(defaultHeaders));
+            }
+
+            if (!HeaderKeyRegEx.IsMatch(header.Key))
+            {
+                throw new ArgumentException($"Header name '{header.Key}' contains invalid characters.", nameof(defaultHeaders));
+            }
+
+            if (header.Value == null)
+            {
+                throw new ArgumentException($"Header value for '{header.Key}' cannot be null.", nameof(defaultHeaders));
+            }
+
+            if (header.Value.Length == 0)
+            {
+                throw new ArgumentException($"Header value for '{header.Key}' cannot be empty.", nameof(defaultHeaders));
+            }
+
             if (!HttpClient.DefaultRequestHeaders.Contains(header.Key))
             {
                 HttpClient.DefaultRequestHeaders.Add(header.Key, header.Value);
diff --git a/test/Serilog.Sinks.Grafana.Loki.Tests/HttpClientsTests/BaseLokiHttpClientTests.cs b/test/Serilog.Sinks.Grafana.Loki.Tests/HttpClientsTests/BaseLokiHttpClientTests.cs
@@ -49,22 +49,29 @@ public void AuthorizationHeaderShouldNotBeSetWithoutCredentials()
     }
 
     [Theory]
-    [InlineData("tenant123", true)]
-    [InlineData("tenant-123", true)]
-    [InlineData("tenant..123", false)]
-    [InlineData(".", false)]
-    [InlineData("tenant!_*.123'()", true)]
-    [InlineData("tenant-123...", false)]
-    [InlineData("tenant123456...test", false)]
-    [InlineData("tenant1234567890!@", false)]
+    [InlineData("tenant123", true)] // only alphanumeric
+    [InlineData("tenant-123", true)] // allowed hyphen
+    [InlineData("tenant..123", false)] // double period not allowed
+    [InlineData(".", false)] // single period not allowed
+    [InlineData("tenant!_*.123'()", true)] // allowed special characters
+    [InlineData("tenant-123...", false)] // ends with multiple periods
+    [InlineData("tenant123456...test", false)] // ends with period
+    [InlineData("tenant1234567890!@", false)] // '@' is not allowed
+    [InlineData("a", true)] // minimal length
+    [InlineData("tenant_with_underscores", true)] // underscores
+    [InlineData("tenant..", false)] // ends with double period
+    [InlineData("..tenant", false)] // starts with double period
+    [InlineData("tenant-.-test", true)] // single periods inside are ok
     public void TenantHeaderShouldBeCorrect(string tenantId, bool isValid)
     {
         using var client = new TestLokiHttpClient();
 
         if (isValid)
         {
+            // Act
             client.SetTenant(tenantId);
 
+            // Assert header is correctly set
             var tenantHeaders = client.Client.DefaultRequestHeaders
                 .GetValues("X-Scope-OrgID")
                 .ToList();
@@ -73,6 +80,62 @@ public void TenantHeaderShouldBeCorrect(string tenantId, bool isValid)
         }
         else
         {
+            // Act & Assert: invalid tenant IDs throw ArgumentException
+            Should.Throw<ArgumentException>(() => client.SetTenant(tenantId));
+        }
+    }
+
+    // Allowed special characters
+    [Theory]
+    [InlineData('!', true)]
+    [InlineData('.', true)]
+    [InlineData('_', true)]
+    [InlineData('*', true)]
+    [InlineData('\'', true)]
+    [InlineData('(', true)]
+    [InlineData(')', true)]
+    [InlineData('-', true)]
+
+    // Disallowed special characters
+    [InlineData('@', false)]
+    [InlineData('#', false)]
+    [InlineData('&', false)]
+    [InlineData('$', false)]
+    [InlineData('%', false)]
+    [InlineData('^', false)]
+    [InlineData('=', false)]
+    [InlineData('+', false)]
+    [InlineData('[', false)]
+    [InlineData(']', false)]
+    [InlineData('{', false)]
+    [InlineData('}', false)]
+    [InlineData('<', false)]
+    [InlineData('>', false)]
+    [InlineData('?', false)]
+    [InlineData('/', false)]
+    [InlineData('\\', false)]
+    [InlineData('|', false)]
+    [InlineData('~', false)]
+    [InlineData('"', false)]
+    public void TenantSpecialCharacterShouldValidateCorrectly(char specialChar, bool isValid)
+    {
+        using var client = new TestLokiHttpClient();
+        string tenantId = "tenant" + specialChar + "123";
+
+        if (isValid)
+        {
+            // Should succeed
+            client.SetTenant(tenantId);
+
+            var tenantHeaders = client.Client.DefaultRequestHeaders
+                .GetValues("X-Scope-OrgID")
+                .ToList();
+
+            tenantHeaders.ShouldBeEquivalentTo(new List<string> { tenantId });
+        }
+        else
+        {
+            // Should throw
             Should.Throw<ArgumentException>(() => client.SetTenant(tenantId));
         }
     }
@@ -96,23 +159,109 @@ public void TenantHeaderShouldThrowAnExceptionOnTenantIdAgainstRule()
         Should.Throw<ArgumentException>(() => client.SetTenant(tenantId));
     }
 
-    [Fact]
-    public void SetDefaultHeadersShouldSetHeaderCorrectly()
+    [Theory]
+    [InlineData("Custom-Header", "HeaderValue", true)]
+    [InlineData("X-Test", "12345", true)]
+    [InlineData("X-Correlation-ID", "abcd-1234", true)]
+    [InlineData("X-Feature-Flag", "enabled", true)]
+    [InlineData("", "value", false)]
+    [InlineData(" ", "value", false)]
+    [InlineData(null, "value", false)]
+    [InlineData("Invalid Header", "value", false)]
+    [InlineData("X-Test", "", false)]
+    [InlineData("X-Test", null, false)]
+    public void SetDefaultHeadersShouldValidateCorrectly(string headerKey, string headerValue, bool isValid)
+    {
+        using var httpClient = new HttpClient();
+        var client = new TestLokiHttpClient(httpClient);
+
+        if (isValid)
+        {
+            var headersToSet = new Dictionary<string, string>
+            {
+                { headerKey, headerValue }
+            };
+
+            client.SetDefaultHeaders(headersToSet);
+
+            httpClient.DefaultRequestHeaders.Contains(headerKey).ShouldBeTrue();
+            httpClient.DefaultRequestHeaders
+                .GetValues(headerKey)
+                .ShouldBe(new[] { headerValue });
+        }
+        else
+        {
+            Should.Throw<ArgumentException>(() =>
+            {
+                var headersToSet = new Dictionary<string, string>
+                {
+                    { headerKey, headerValue }
+                };
+                client.SetDefaultHeaders(headersToSet);
+            });
+        }
+    }
+
+    [Theory]
+    [InlineData('!', true)]
+    [InlineData('#', true)]
+    [InlineData('$', true)]
+    [InlineData('%', true)]
+    [InlineData('&', true)]
+    [InlineData('\'', true)]
+    [InlineData('*', true)]
+    [InlineData('+', true)]
+    [InlineData('-', true)]
+    [InlineData('.', true)]
+    [InlineData('^', true)]
+    [InlineData('_', true)]
+    [InlineData('`', true)]
+    [InlineData('|', true)]
+    [InlineData('~', true)]
+    [InlineData('A', true)]
+    [InlineData('z', true)]
+    [InlineData(' ', false)]
+    [InlineData('(', false)]
+    [InlineData(')', false)]
+    [InlineData('<', false)]
+    [InlineData('>', false)]
+    [InlineData('@', false)]
+    [InlineData(',', false)]
+    [InlineData(';', false)]
+    [InlineData(':', false)]
+    [InlineData('"', false)]
+    [InlineData('/', false)]
+    [InlineData('[', false)]
+    [InlineData(']', false)]
+    [InlineData('?', false)]
+    [InlineData('=', false)]
+    [InlineData('{', false)]
+    [InlineData('}', false)]
+    [InlineData('\\', false)]
+    [InlineData('\t', false)]
+    public void DefaultHeaderCharactersShouldValidateCorrectly(char character, bool isValid) // Valid token characters according to RFC 7230
     {
-        // Arrange
         using var httpClient = new HttpClient();
         var client = new TestLokiHttpClient(httpClient);
 
+        string headerKey = "X-Test" + character;
         var headersToSet = new Dictionary<string, string>
         {
-            { "Custom-Header", "HeaderValue" }
+            { headerKey, "value" }
         };
 
-        // Act
-        client.SetDefaultHeaders(headersToSet);
+        if (isValid)
+        {
+            // Should succeed
+            client.SetDefaultHeaders(headersToSet);
 
-        // Assert
-        httpClient.DefaultRequestHeaders.Contains("Custom-Header").ShouldBeTrue();
-        httpClient.DefaultRequestHeaders.GetValues("Custom-Header").ShouldBe(new[] { "HeaderValue" });
+            httpClient.DefaultRequestHeaders.Contains(headerKey).ShouldBeTrue();
+            httpClient.DefaultRequestHeaders.GetValues(headerKey).ShouldBe(new[] { "value" });
+        }
+        else
+        {
+            // Should throw exception
+            Should.Throw<ArgumentException>(() => client.SetDefaultHeaders(headersToSet));
+        }
     }
 }
