Skip to content

Document TryAddWithoutValidation security implications and validation behavior#12226

Open
Copilot wants to merge 5 commits intomainfrom
copilot/improve-tryaddwithoutvalidation-docs
Open

Document TryAddWithoutValidation security implications and validation behavior#12226
Copilot wants to merge 5 commits intomainfrom
copilot/improve-tryaddwithoutvalidation-docs

Conversation

Copy link
Contributor

Copilot AI commented Jan 13, 2026
edited
Loading

TryAddWithoutValidation methods perform header name validation but skip header value validation, creating security risks when used with untrusted input. This was undocumented.

Changes

  • Clarified validation behavior: Header names are validated (returns false for invalid names), but header values are not
  • Added security warning: Values must be trusted or validated to prevent protocol-level attacks
  • Provided minimum validation guidance: Prohibit newline characters (\r, \n, \0) to prevent request smuggling: 
    if (value.IndexOfAny(new[] { '\r', '\n', '\0' }) >= 0) throw ...
  • Documented observable behavior: Unvalidated values appear in enumeration and queries, even without using NonValidated view

Both TryAddWithoutValidation overloads now have identical, comprehensive remarks sections explaining these behaviors.

Original prompt

Improve the TryAddWithoutValidation docs.

Here are the relevant sections from internal documentation:

TryAddWithoutValidation methods do perform header name validation, returning false for invalid names.

TryAddWithoutValidation methods do not perform any header value validation.
Values added via these methods are assumed to be trusted, and other application logic, such as HttpClient, may misbehave if they are not well formed. In particular, callers are highly encouraged to validate that these values not contain new line characters to guard against attacks such as request smuggling.
Values added without validation may be observed when enumerating the collection or querying for the specific header name, even when the caller is not using the HttpHeaders.NonValidated view of the collection.

TryAddWithoutValidation must never be used with untrusted values, unless it was otherwise sufficiently validated.
What constitutes "sufficient" validation can vary by use case. At a minimum, prohibit new line characters for protocol correctness, e.g. if (value.ContainsAny('\r', '\n', '\0')) throw .... This should ensure that the server application sees values in the same way as the client application, with the server now being responsible for properly sanitizing its own inputs.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits January 13, 2026 15:58
@MihaZupan
Add comprehensive documentation for TryAddWithoutValidation methods
0f9a026 
Co-authored-by: MihaZupan <25307628+MihaZupan@users.noreply.github.com>
@MihaZupan
Fix documentation formatting and code example issues
5eaf345 
Co-authored-by: MihaZupan <25307628+MihaZupan@users.noreply.github.com>
Copilot AI changed the title [WIP] Improve documentation for TryAddWithoutValidation methods Document TryAddWithoutValidation security implications and validation behavior Jan 13, 2026
Copilot AI requested a review from MihaZupan January 13, 2026 16:02
MihaZupan
MihaZupan reviewed Jan 13, 2026
View reviewed changes
MihaZupan
MihaZupan reviewed Jan 13, 2026
View reviewed changes
@MihaZupan MihaZupan marked this pull request as ready for review January 13, 2026 17:27
@MihaZupan MihaZupan requested a review from a team as a code owner January 13, 2026 17:27
Copilot AI review requested due to automatic review settings January 13, 2026 17:27
Copilot AI reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the documentation for TryAddWithoutValidation methods in HttpHeaders to clarify security implications and validation behavior that were previously undocumented.

Changes:

  • Clarified that header name validation is performed (returns false for invalid names) but header value validation is skipped
  • Added security warning about the risks of using untrusted values and the need for proper validation
  • Provided minimum validation guidance to prevent protocol-level attacks like request smuggling

gewarren
gewarren approved these changes Jan 13, 2026
View reviewed changes
Copy link
Contributor

@gewarren gewarren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a couple minor suggestions.

@MihaZupan @gewarren
Apply suggestions from code review
ce37714 
Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com>
@MihaZupan
Copy link
Member

MihaZupan commented Jan 13, 2026

Thank you

@MihaZupan MihaZupan enabled auto-merge (squash) January 13, 2026 23:31
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jan 13, 2026

Tagging subscribers to this area: @dotnet/ncl

@MihaZupan MihaZupan disabled auto-merge January 14, 2026 00:16
@MihaZupan MihaZupan enabled auto-merge (squash) January 14, 2026 00:16
vcsjones
vcsjones reviewed Jan 15, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vcsjones vcsjones vcsjones left review comments

Copilot code review Copilot Copilot left review comments

@gewarren gewarren gewarren approved these changes

+1 more reviewer

@MihaZupan MihaZupan MihaZupan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@MihaZupan MihaZupan

Copilot code review Copilot

Labels

area-System.Net.Http

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@MihaZupan @vcsjones @gewarren