feat(fetch): support variable expansion in override.requestOptions.headers of fetch client
#2605
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds support for variable expansion (template literals) in override.requestOptions.headers for the fetch client. Previously, header values were stringified directly, but now they are rendered as template literals to allow dynamic values like environment variables.
Key Changes:
- Modified header generation to use template literal syntax instead of direct stringification
- Added test configuration demonstrating the new capability with environment variable interpolation
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/fetch/src/index.ts | Changed header generation logic to use template literals for variable expansion support |
| tests/configs/fetch.config.ts | Added test configuration demonstrating environment variable usage in headers |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const overrideHeaders = | ||
| isObject(override.requestOptions) && override.requestOptions.headers | ||
| ? Object.entries(override.requestOptions.headers).map( | ||
| ([key, value]) => `'${key}': \`${value}\``, |
There was a problem hiding this comment.
Header keys and values are not sanitized before being inserted into template literals. If user-provided values contain backticks or other special characters, this could result in code injection. Consider escaping special characters in both key and value, particularly backticks, backslashes, and ${ sequences.
| const overrideHeaders = | |
| isObject(override.requestOptions) && override.requestOptions.headers | |
| ? Object.entries(override.requestOptions.headers).map( | |
| ([key, value]) => `'${key}': \`${value}\``, | |
| // Helper functions to escape header keys and values for safe code generation | |
| function escapeHeaderKey(key: string): string { | |
| // Escape single quotes and backslashes | |
| return key.replace(/\\/g, '\\\\').replace(/'/g, "\\'"); | |
| } | |
| function escapeHeaderValue(value: string): string { | |
| // Escape backticks, backslashes, and `${` | |
| return value | |
| .replace(/\\/g, '\\\\') | |
| .replace(/`/g, '\\`') | |
| .replace(/\$\{/g, '\\${'); | |
| } | |
| const overrideHeaders = | |
| isObject(override.requestOptions) && override.requestOptions.headers | |
| ? Object.entries(override.requestOptions.headers).map( | |
| ([key, value]) => `'${escapeHeaderKey(key)}': \`${escapeHeaderValue(String(value))}\``, |
soartec-lab
added
enhancement
2 participants
fix #2599