Skip to content

[Security] Fix locale-sensitive header redaction#7572

Draft
gonzaloriestra wants to merge 1 commit into
mainfrom
jules-security-fix-locale-header-redaction-14224719727929470904
Draft

[Security] Fix locale-sensitive header redaction#7572
gonzaloriestra wants to merge 1 commit into
mainfrom
jules-security-fix-locale-header-redaction-14224719727929470904

Conversation

@gonzaloriestra
Copy link
Copy Markdown
Contributor

@gonzaloriestra gonzaloriestra commented May 18, 2026

WHY are these changes introduced?

Redaction of sensitive headers (like `AUTHORIZATION`) could be bypassed on systems with certain locales (e.g., Turkish) because `toLocaleLowerCase()` is non-deterministic for ASCII characters like 'I' (which becomes 'ı' in Turkish).

WHAT is this pull request doing?

This PR replaces `toLocaleLowerCase()` with `toLowerCase()` in `sanitizedHeadersOutput` to ensure consistent ASCII-based matching for HTTP headers regardless of the user's locale. It also adds a regression test that simulates the problematic locale behavior.

How to test your changes?

CI

Post-release steps

None.

Checklist

  • I've considered possible cross-platform impacts (Mac, Linux, Windows)
  • I've considered possible documentation changes
  • I've considered analytics changes to measure impact
  • The change is user-facing — I've identified the correct bump type (`patch` for bug fixes · `minor` for new features · `major` for breaking changes) and added a changeset with `pnpm changeset add`

PR created automatically by Jules for task 14224719727929470904 started by @gonzaloriestra

@gonzaloriestra
[Security] Fix locale-sensitive header redaction
7c82911 
Replaced toLocaleLowerCase() with toLowerCase() in sanitizedHeadersOutput
to ensure consistent redaction of sensitive headers regardless of the
system locale. Added a regression test simulating the Turkish locale
issue.
@google-labs-jules
Copy link
Copy Markdown

google-labs-jules Bot commented May 18, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@github-actions github-actions Bot added the no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. label May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

no-changelog This PR doesn't include a changeset entry. Is an internal only change not relevant to end users. security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gonzaloriestra