fix: reject CR/LF/NUL in operation_context to prevent header injection

arorashivam96 · claude · arorashivam96 · commit 07e3eb218233 · 2026-05-08T17:45:41.000-07:00
Validate operation_context at ODataClient init time — raise ValueError
if the string contains \r, \n, or \x00. Prevents invalid HTTP headers
and header injection via the User-Agent comment.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/PowerPlatform/Dataverse/data/_odata.py b/src/PowerPlatform/Dataverse/data/_odata.py
@@ -206,7 +206,12 @@ def __init__(
             session=session,
             logger=self._http_logger,
         )
-        self._operation_context = self.config.operation_context
+        ctx = self.config.operation_context
+        if ctx and any(c in ctx for c in "\r\n\x00"):
+            raise ValueError(
+                "operation_context must not contain CR, LF, or NUL characters."
+            )
+        self._operation_context = ctx
         self._logical_to_entityset_cache: dict[str, str] = {}
         # Cache: normalized table_schema_name (lowercase) -> primary id attribute (e.g. accountid)
         self._logical_primaryid_cache: dict[str, str] = {}
diff --git a/tests/unit/test_operation_context.py b/tests/unit/test_operation_context.py
@@ -97,3 +97,9 @@ def test_empty_string_context_no_parentheses(self):
         odata = _ODataClient(self.dummy_auth, self.base_url, config=config)
         headers = odata._headers()
         self.assertNotIn("(", headers["User-Agent"])
+
+    def test_control_chars_rejected(self):
+        for bad in ["has\rnewline", "has\nnewline", "has\x00null"]:
+            config = DataverseConfig(operation_context=bad)
+            with self.assertRaises(ValueError):
+                _ODataClient(self.dummy_auth, self.base_url, config=config)
