Skip to content

feat(llc): Sanitize X-Stream-Client to prevent customers overriding internal values#2790

Draft
VelikovPetar wants to merge 3 commits into
masterfrom
feature/sanitize_x_stream_header_client
Draft

feat(llc): Sanitize X-Stream-Client to prevent customers overriding internal values#2790
VelikovPetar wants to merge 3 commits into
masterfrom
feature/sanitize_x_stream_header_client

Conversation

@VelikovPetar

@VelikovPetar VelikovPetar commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Submit a pull request

CLA

  • I have signed the Stream CLA (required).
  • The code changes follow best practices
  • Code changes are tested (add some information if not applicable)

Description of the pull request

Sanitizes the X-Stream-Client header so SDK consumers can't spoof the identifying fields:

  • SystemEnvironmentManager.updateEnvironment now passes the incoming SystemEnvironment through a _sanitize step that locks sdkName, sdkVersion, and osName to internal
    defaults while letting appName, appVersion, osVersion, and deviceModel pass through.
  • sdkIdentifier is gated by a new _SdkIdentifier extension type with a precedence ranking — only a dart → flutter promotion is accepted; demotions and unknown values fall
    back to the current identifier.
  • The constructor now routes a user-supplied environment through the same updateEnvironment sanitization path instead of trusting it wholesale.
  • WebSocket query-string assembly reorders the map so X-Stream-Client is appended after queryParameters, preventing callers from overwriting it.

VelikovPetar and others added 3 commits June 25, 2026 12:27
@VelikovPetar
fix(llc): Sanitize X-Stream-Client header
ff830a0
@VelikovPetar @claude
refactor(llc): Extract SDK identifier promotion rule into extension type
5f931f0 
Replace the inline string comparison in `_sanitize` with a private
`_SdkIdentifier` extension type that owns the known identifier constants
and exposes a `precedence` getter. The promotion rule becomes a single
precedence comparison and unknown identifiers cleanly fall back to the
current value via the lowest precedence.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@VelikovPetar
fix(ui): Update chnagelog.
81f6d7e
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c853ecee-3858-41e7-bd07-1eb7acaba68d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/sanitize_x_stream_header_client

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@VelikovPetar