feat: add response argument to cloud functions for HTTP status and headers

hajjarjoseph · hajjarjoseph · commit 71fba5fd440c · 2025-12-13T23:17:37.000+01:00
diff --git a/README.md b/README.md
@@ -77,6 +77,7 @@ A big _thank you_ 🙏 to our [sponsors](#sponsors) and [backers](#backers) who
       - [Reserved Keys](#reserved-keys)
       - [Parameters](#parameters-1)
   - [Logging](#logging)
+  - [Cloud Function Custom HTTP Response](#cloud-functions-http-response)
 - [Deprecations](#deprecations)
 - [Live Query](#live-query)
 - [GraphQL](#graphql)
diff --git a/spec/CloudCode.spec.js b/spec/CloudCode.spec.js
@@ -228,7 +228,7 @@ describe('Cloud Code', () => {
     expect(response.headers['x-custom-header']).toEqual('third');
   });
 
-  it('res.status() throws error for non-number status code', async () => {
+  it('res.status() throws error for non-integer status code', async () => {
     Parse.Cloud.define('invalidStatusType', (req, res) => {
       res.status('200');
       return { message: 'ok' };
@@ -251,6 +251,29 @@ describe('Cloud Code', () => {
     }
   });
 
+  it('res.status() throws error for NaN status code', async () => {
+    Parse.Cloud.define('nanStatus', (req, res) => {
+      res.status(NaN);
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/nanStatus',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
   it('res.set() throws error for non-string header name', async () => {
     Parse.Cloud.define('invalidHeaderName', (req, res) => {
       res.set(123, 'value');
@@ -320,6 +343,75 @@ describe('Cloud Code', () => {
     }
   });
 
+  it('res.set() throws error for empty header name', async () => {
+    Parse.Cloud.define('emptyHeaderName', (req, res) => {
+      res.set('   ', 'value');
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/emptyHeaderName',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
+  it('res.set() throws error for prototype pollution header names', async () => {
+    Parse.Cloud.define('protoHeaderName', (req, res) => {
+      res.set('__proto__', 'value');
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/protoHeaderName',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
+  it('res.set() throws error for CRLF in header value', async () => {
+    Parse.Cloud.define('crlfHeaderValue', (req, res) => {
+      res.set('X-Custom-Header', 'value\r\nX-Injected: bad');
+      return { message: 'ok' };
+    });
+
+    try {
+      await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/functions/crlfHeaderValue',
+        headers: {
+          'X-Parse-Application-Id': 'test',
+          'X-Parse-REST-API-Key': 'rest',
+          'Content-Type': 'application/json',
+        },
+        body: {},
+      });
+      fail('Expected request to fail');
+    } catch (response) {
+      expect(response.status).toEqual(400);
+    }
+  });
+
   it('can get config', () => {
     const config = Parse.Server;
     let currentConfig = Config.get('test');
diff --git a/src/Routers/FunctionsRouter.js b/src/Routers/FunctionsRouter.js
@@ -12,12 +12,12 @@ import { logger } from '../logger';
 class CloudResponse {
   constructor() {
     this._status = null;
-    this._headers = {};
+    this._headers = Object.create(null);
   }
 
   status(code) {
-    if (typeof code !== 'number') {
-      throw new Error('Status code must be a number');
+    if (!Number.isInteger(code)) {
+      throw new Error('Status code must be an integer');
     }
     if (code < 100 || code > 599) {
       throw new Error('Status code must be between 100 and 599');
@@ -30,10 +30,22 @@ class CloudResponse {
     if (typeof name !== 'string') {
       throw new Error('Header name must be a string');
     }
+    const headerName = name.trim();
+    if (!headerName) {
+      throw new Error('Header name must not be empty');
+    }
+    if (headerName === '__proto__' || headerName === 'constructor' || headerName === 'prototype') {
+      throw new Error('Invalid header name');
+    }
     if (value === undefined || value === null) {
       throw new Error('Header value must be defined');
     }
-    this._headers[name] = value;
+    const headerValue = Array.isArray(value) ? value.map(v => String(v)) : String(value);
+    const values = Array.isArray(headerValue) ? headerValue : [headerValue];
+    if (values.some(v => /[\r\n]/.test(v))) {
+      throw new Error('Header value must not contain CRLF');
+    }
+    this._headers[headerName] = headerValue;
     return this;
   }
 
