Rule Definition
CR and LF characters in an HTTP header may give attackers control of the remaining headers and body of the response the application intends to send, as well as allowing them to create additional responses entirely under their control. This can lead to: cookie injection, open redirect, proxy cache poisoning, log corruption, or rewriting the body of the response.

Remediation
Use authorized sanitization methods of the framework, if available. Remove CR, LF characters for values coming from user inputs and used in HTTP headers

Violation Code Sample

app = FastAPI()

@app.get("/sample/")
def sample(req):
    content = {"message": "Hello World"}

    tainted= req.query_params.get("my_param")

    headers = {"X-whatever": tainted, "Content-Language": "en-US"}
    return JSONResponse(content=content, headers=headers)  # violation

Fixed Code Sample

app = FastAPI()

@app.get("/sample/")
def sample(req):
    content = {"message": "Hello World"}
    tainted= req.query_params.get("my_param")

    param_safe = re.sub('[\n\r]', '', tainted)  # the data is sanitized against CR/LF
    param_safe = html.escape(param_safe)  # the data is sanitized against "<script>"

    headers = {"X-whatever": param_safe, "Content-Language": "en-US"}
    return JSONResponse(content=content, headers=headers)

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') https://cwe.mitre.org/data/definitions/113.html CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax https://cwe.mitre.org/data/definitions/644.html Open Web Application Security Project (OWASP) https://www.owasp.org/index.php/Top_10_2007