Merge branch 'main' into cursor/sanitize-http-header-values-to-prevent-injection-2d93

cursoragent · cursoragent · commit 2eaa17fff03a · 2025-10-28T15:38:12.000Z
Resolved conflicts in src/render.rs by:
- Keeping header value sanitization with Cow optimization
- Using the new into_response_builder() method from main
- Maintaining has_status flag updates from main
diff --git a/src/render.rs b/src/render.rs
@@ -247,8 +247,7 @@ impl HeaderContext {
         let sanitized_link = sanitize_header_value(link);
         self.response
             .insert_header((header::LOCATION, sanitized_link.as_ref()));
-        let response = self.response.body(());
-        Ok(response)
+        Ok(self.into_response_builder().body(()))
     }
 
     /// Answers to the HTTP request with a single json object
@@ -261,7 +260,9 @@ impl HeaderContext {
             } else {
                 serde_json::to_vec(contents)?
             };
-            Ok(PageContext::Close(self.response.body(json_response)))
+            Ok(PageContext::Close(
+                self.into_response_builder().body(json_response),
+            ))
         } else {
             let body_type = get_object_str(data, "type");
             let json_renderer = match body_type {
@@ -319,22 +320,21 @@ impl HeaderContext {
         }
         log::debug!("Authentication failed");
         // The authentication failed
-        let http_response: HttpResponse = if let Some(link) = get_object_str(&data, "link") {
+        if let Some(link) = get_object_str(&data, "link") {
             let sanitized_link = sanitize_header_value(link);
             self.response
                 .status(StatusCode::FOUND)
-                .insert_header((header::LOCATION, sanitized_link.as_ref()))
-                .body(
-                    "Sorry, but you are not authorized to access this page. \
-                    Redirecting to the login page...",
-                )
+                .insert_header((header::LOCATION, sanitized_link.as_ref()));
+            self.has_status = true;
+            Ok(PageContext::Close(self.into_response_builder().body(
+                "Sorry, but you are not authorized to access this page. \
+                Redirecting to the login page...",
+            )))
         } else {
             anyhow::bail!(ErrorWithStatus {
                 status: StatusCode::UNAUTHORIZED
             })
-        };
-        self.has_status = true;
-        Ok(PageContext::Close(http_response))
+        }
     }
 
     fn download(mut self, options: &JsonValue) -> anyhow::Result<PageContext> {
@@ -366,7 +366,7 @@ impl HeaderContext {
                 .insert_header((header::CONTENT_TYPE, content_type));
         }
         Ok(PageContext::Close(
-            self.response.body(body_bytes.into_owned()),
+            self.into_response_builder().body(body_bytes.into_owned()),
         ))
     }
 
@@ -381,6 +381,11 @@ impl HeaderContext {
         }
     }
 
+    fn into_response_builder(mut self) -> HttpResponseBuilder {
+        self.add_server_timing_header();
+        self.response
+    }
+
     async fn start_body(mut self, data: JsonValue) -> anyhow::Result<PageContext> {
         self.add_server_timing_header();
         let html_renderer =
@@ -395,9 +400,8 @@ impl HeaderContext {
         })
     }
 
-    pub fn close(mut self) -> HttpResponse {
-        self.add_server_timing_header();
-        self.response.finish()
+    pub fn close(self) -> HttpResponse {
+        self.into_response_builder().finish()
     }
 }
 
diff --git a/src/webserver/database/execute_queries.rs b/src/webserver/database/execute_queries.rs
@@ -58,6 +58,7 @@ pub fn stream_query_results_with_conn<'a>(
                 },
                 ParsedStatement::StmtWithParams(stmt) => {
                     let query = bind_parameters(stmt, request, db_connection).await?;
+                    request.server_timing.record("bind_params");
                     let connection = take_connection(&request.app_state.db, db_connection, request).await?;
                     log::trace!("Executing query {:?}", query.sql);
                     let mut stream = connection.fetch_many(query);
diff --git a/src/webserver/server_timing.rs b/src/webserver/server_timing.rs
@@ -61,8 +61,10 @@ impl ServerTiming {
             if i > 0 {
                 s.push_str(", ");
             }
-            let millis = time.saturating_duration_since(last).as_millis();
-            write!(&mut s, "{name};dur={millis}").ok()?;
+            let micros = time.saturating_duration_since(last).as_micros();
+            let millis = micros / 1000;
+            let micros = micros % 1000;
+            write!(&mut s, "{name};dur={millis}.{micros:03}").ok()?;
             last = *time;
         }
         Some(s)
diff --git a/tests/server_timing/mod.rs b/tests/server_timing/mod.rs
@@ -54,6 +54,10 @@ async fn test_server_timing_enabled_in_development() -> actix_web::Result<()> {
         header_value.contains("parse_req;dur="),
         "Should contain parse_req timing: {header_value}"
     );
+    assert!(
+        header_value.contains("bind_params;dur="),
+        "Should contain bind_params timing: {header_value}"
+    );
     assert!(
         header_value.contains("db_conn;dur="),
         "Should contain db_conn timing: {header_value}"
@@ -78,7 +82,7 @@ async fn test_server_timing_format() -> actix_web::Result<()> {
     let header_value = server_timing_header.to_str().unwrap();
 
     let parts: Vec<&str> = header_value.split(", ").collect();
-    assert!(parts.len() >= 4, "Should have at least 4 timing events");
+    assert!(parts.len() >= 5, "Should have at least 5 timing events");
 
     for part in parts {
         assert!(
@@ -98,3 +102,38 @@ async fn test_server_timing_format() -> actix_web::Result<()> {
 
     Ok(())
 }
+
+#[actix_web::test]
+async fn test_server_timing_in_redirect() -> actix_web::Result<()> {
+    let mut config = test_config();
+    config.environment = sqlpage::app_config::DevOrProd::Development;
+    let app_data = make_app_data_from_config(config).await;
+
+    let req =
+        crate::common::get_request_to_with_data("/tests/server_timing/redirect_test.sql", app_data)
+            .await?
+            .to_srv_request();
+    let resp = main_handler(req).await?;
+
+    assert_eq!(
+        resp.status(),
+        StatusCode::FOUND,
+        "Response should be a redirect"
+    );
+    let server_timing_header = resp
+        .headers()
+        .get("Server-Timing")
+        .expect("Server-Timing header should be present in redirect responses");
+    let header_value = server_timing_header.to_str().unwrap();
+
+    assert!(
+        !header_value.is_empty(),
+        "Server-Timing header should not be empty: {header_value}"
+    );
+    assert!(
+        header_value.contains(";dur="),
+        "Server-Timing header should contain timing events: {header_value}"
+    );
+
+    Ok(())
+}
diff --git a/tests/server_timing/redirect_test.sql b/tests/server_timing/redirect_test.sql
@@ -0,0 +1,2 @@
+select 'redirect' as component, '/destination.sql' as link;
+

Original file line number	Diff line number	Diff line change
`@@ -61,8 +61,10 @@ impl ServerTiming {`
`61`	`61`	`if i > 0 {`
`62`	`62`	`s.push_str(", ");`
`63`	`63`	`}`
`64`		`- let millis = time.saturating_duration_since(last).as_millis();`
`65`		`- write!(&mut s, "{name};dur={millis}").ok()?;`
	`64`	`+ let micros = time.saturating_duration_since(last).as_micros();`
	`65`	`+ let millis = micros / 1000;`
	`66`	`+ let micros = micros % 1000;`
	`67`	`+ write!(&mut s, "{name};dur={millis}.{micros:03}").ok()?;`
`66`	`68`	`last = *time;`
`67`	`69`	`}`
`68`	`70`	`Some(s)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+select 'redirect' as component, '/destination.sql' as link;`
	`2`	`+`