From 806d5e7a9b45cb6f16528a49648caf218dc40443 Mon Sep 17 00:00:00 2001
From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com>
Date: Sat, 26 Apr 2025 22:05:24 +0000
Subject: [PATCH] (Snyk) Fixed finding: "Improper Neutralization of CRLF
 Sequences in HTTP Headers"

---
 .../SPDF/config/security/UserBasedRateLimitingFilter.java   | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java b/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
index 1c725c9f2..7bc0cc9bd 100644
--- a/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
+++ b/src/main/java/stirling/software/SPDF/config/security/UserBasedRateLimitingFilter.java
@@ -121,7 +121,7 @@ public class UserBasedRateLimitingFilter extends OncePerRequestFilter {
         if (probe.isConsumed()) {
             response.setHeader(
                     "X-Rate-Limit-Remaining",
-                    Newlines.stripAll(Long.toString(probe.getRemainingTokens())));
+                    stripNewlines(Newlines.stripAll(Long.toString(probe.getRemainingTokens()))));
             filterChain.doFilter(request, response);
         } else {
             long waitForRefill = probe.getNanosToWaitForRefill() / 1_000_000_000;
@@ -141,4 +141,8 @@ public class UserBasedRateLimitingFilter extends OncePerRequestFilter {
                         .build();
         return Bucket.builder().addLimit(limit).build();
     }
+    
+    private static String stripNewlines(final String s) {
+        return s.replaceAll("[\n\r]", "");
+    }
 }