Tighten up raw header accuracy in HTTP/1.1 snippets

pimterry · pimterry · commit 97a59c1a5472 · 2026-02-05T13:25:20.000+01:00
diff --git a/src/index.js b/src/index.js
@@ -168,13 +168,21 @@ HTTPSnippet.prototype.prepare = function (request) {
 
         request.postData.boundary = boundary
 
-        // Since headers are case-sensitive we need to see if there's an existing `Content-Type` header that we can
-        // override.
-        const contentTypeHeader = helpers.hasHeader(request.headersObj, 'content-type')
-          ? helpers.getHeaderName(request.headersObj, 'content-type')
-          : 'content-type'
+        const multipartContentType = 'multipart/form-data; boundary=' + boundary
 
-        request.headersObj[contentTypeHeader] = 'multipart/form-data; boundary=' + boundary
+        // We need to update the various header states to match the CT to our boundary:
+        if (helpers.hasHeader(request.headersObj, 'content-type')) {
+          // Since headers are case-sensitive we need to see if there's an existing `Content-Type`
+          // header that we can override.
+          const contentTypeHeader = helpers.getHeaderName(request.headersObj, 'content-type')
+          request.headersObj[contentTypeHeader] = multipartContentType
+
+          const headerEntry = request.headers.findLast(h => h.name.toLowerCase() === 'content-type')
+          headerEntry.value = multipartContentType
+        } else {
+          request.headersObj['Content-Type'] = multipartContentType
+          request.headers.push({ name: 'Content-Type', value: multipartContentType })
+        }
       }
       break
 
diff --git a/src/targets/http/http1.1.js b/src/targets/http/http1.1.js
@@ -43,21 +43,27 @@ module.exports = function (source, options) {
   code.push('%s %s %s', source.method, requestUrl, source.httpVersion)
 
   // RFC 7231 Section 5. Header Fields
-  Object.keys(source.allHeaders).forEach(function (key) {
-    // Capitalize header keys, even though it's not required by the spec.
-    const keyCapitalized = key.toLowerCase().replace(/(^|-)(\w)/g, function (x) {
-      return x.toUpperCase()
-    })
-
+  source.headers.forEach((header) => {
     code.push(
       '%s',
-      util.format('%s: %s', keyCapitalized, source.allHeaders[key])
+      util.format('%s: %s', header.name, header.value)
     )
   })
 
+  // Unlike most other snippets, we use the fully raw input here (not headerObj/allHeaders)
+  // so we need to hook into the prepare() cookie injection logic:
+  if (source.allHeaders.cookie && !source.headers.find(h => h.name.toLowerCase() === 'cookie')) {
+    code.push(
+      '%s',
+      util.format('%s: %s', 'Cookie', source.allHeaders.cookie)
+    )
+  }
+
+  const headerKeys = Object.keys(source.allHeaders).map(k => k.toLowerCase())
+
   // RFC 7230 Section 5.4. Host
   // Automatically set Host header if option is on and on header already exists.
-  if (opts.autoHost && Object.keys(source.allHeaders).indexOf('host') === -1) {
+  if (opts.autoHost && headerKeys.indexOf('host') === -1) {
     code.push('Host: %s', source.uriObj.host)
   }
 
@@ -66,7 +72,7 @@ module.exports = function (source, options) {
   if (
     opts.autoContentLength &&
     source.postData.text &&
-    Object.keys(source.allHeaders).indexOf('content-length') === -1
+    headerKeys.indexOf('conteTnt-length') === -1
   ) {
     code.push(
       'Content-Length: %d',
diff --git a/test/fixtures/output/http/1.1/application-form-encoded b/test/fixtures/output/http/1.1/application-form-encoded
@@ -1,5 +1,5 @@
 POST /har HTTP/1.1
-Content-Type: application/x-www-form-urlencoded
+content-type: application/x-www-form-urlencoded
 Host: mockbin.com
 Content-Length: 19
 
diff --git a/test/fixtures/output/http/1.1/application-json b/test/fixtures/output/http/1.1/application-json
@@ -1,5 +1,5 @@
 POST /har HTTP/1.1
-Content-Type: application/json
+content-type: application/json
 Host: mockbin.com
 Content-Length: 118
 
diff --git a/test/fixtures/output/http/1.1/compression b/test/fixtures/output/http/1.1/compression
@@ -1,3 +1,3 @@
 GET /har HTTP/1.1
-Accept-Encoding: deflate, gzip, br
+accept-encoding: deflate, gzip, br
 Host: mockbin.com
diff --git a/test/fixtures/output/http/1.1/full b/test/fixtures/output/http/1.1/full
@@ -1,7 +1,7 @@
 POST /har?foo=bar&foo=baz&baz=abc&key=value HTTP/1.1
+accept: application/json
+content-type: application/x-www-form-urlencoded
 Cookie: foo=bar; bar=baz
-Accept: application/json
-Content-Type: application/x-www-form-urlencoded
 Host: mockbin.com
 Content-Length: 7
 
diff --git a/test/fixtures/output/http/1.1/headers b/test/fixtures/output/http/1.1/headers
@@ -1,7 +1,7 @@
 GET /har HTTP/1.1
-Accept: application/json
-X-Foo: Bar
-Quoted-Value: "quoted" 'string'
+accept: application/json
+x-foo: Bar
+quoted-value: "quoted" 'string'
 Host: mockbin.com
 
 
diff --git a/test/fixtures/output/http/1.1/jsonObj-multiline b/test/fixtures/output/http/1.1/jsonObj-multiline
@@ -1,5 +1,5 @@
 POST /har HTTP/1.1
-Content-Type: application/json
+content-type: application/json
 Host: mockbin.com
 Content-Length: 18
 
diff --git a/test/fixtures/output/http/1.1/jsonObj-null-value b/test/fixtures/output/http/1.1/jsonObj-null-value
@@ -1,5 +1,5 @@
 POST /har HTTP/1.1
-Content-Type: application/json
+content-type: application/json
 Host: mockbin.com
 Content-Length: 12
 
diff --git a/test/fixtures/output/http/1.1/malicious b/test/fixtures/output/http/1.1/malicious
@@ -1,20 +1,20 @@
 POST /%27%22%60$(%(%%7B%7B%7B/0%s//?'=squote-key-test&squote-value-test='&%22=dquote-key-test&dquote-value-test=%22&%60=backtick-key-test&backtick-value-test=%60&%24(=dollar-parenthesis-key-test&dollar-parenthesis-value-test=%24(&%23%7B=hash-brace-key-test&hash-brace-value-test=%23%7B&%25(=percent-parenthesis-key-test&percent-parenthesis-value-test=%25(&%25%7B=percent-brace-key-test&percent-brace-value-test=%25%7B&%7B%7B=double-brace-key-test&double-brace-value-test=%7B%7B&%5C0=null-key-test&null-value-test=%5C0&%25s=string-fmt-key-test&string-fmt-value-test=%25s&%5C=slash-key-test&slash-value-test=%5C HTTP/1.1
 ': squote-key-test
-Squote-Value-Test: '
-Dquote-Value-Test: "
+squote-value-test: '
+dquote-value-test: "
 `: backtick-key-test
-Backtick-Value-Test: `
+backtick-value-test: `
 $: dollar-key-test
-Dollar-Parenthesis-Value-Test: $(
+dollar-parenthesis-value-test: $(
 #: hash-key-test
-Hash-Brace-Value-Test: #{
+hash-brace-value-test: #{
 %: percent-key-test
-Percent-Parenthesis-Value-Test: %(
-Percent-Brace-Value-Test: %{
-Double-Brace-Value-Test: {{
-Null-Value-Test: \0
-String-Fmt-Value-Test: %s
-Slash-Value-Test: \
+percent-parenthesis-value-test: %(
+percent-brace-value-test: %{
+double-brace-value-test: {{
+null-value-test: \0
+string-fmt-value-test: %s
+slash-value-test: \
 Host: example.test
 Content-Length: 28
 
diff --git a/test/fixtures/output/http/1.1/multipart-data b/test/fixtures/output/http/1.1/multipart-data
@@ -1,5 +1,5 @@
 POST /har HTTP/1.1
-Content-Type: multipart/form-data; boundary=---011000010111000001101001
+content-type: multipart/form-data; boundary=---011000010111000001101001
 Host: mockbin.com
 Content-Length: 171
 
diff --git a/test/fixtures/output/http/1.1/multipart-file b/test/fixtures/output/http/1.1/multipart-file
@@ -1,5 +1,5 @@
 POST /har HTTP/1.1
-Content-Type: multipart/form-data; boundary=---011000010111000001101001
+content-type: multipart/form-data; boundary=---011000010111000001101001
 Host: mockbin.com
 Content-Length: 160
 
diff --git a/test/fixtures/output/http/1.1/text-plain b/test/fixtures/output/http/1.1/text-plain
@@ -1,5 +1,5 @@
 POST /har HTTP/1.1
-Content-Type: text/plain
+content-type: text/plain
 Host: mockbin.com
 Content-Length: 11
 
