fix(cache): trim qualified field names

mcollina · mcollina · commit 85a240551c9f · 2026-06-11T16:43:31.000+02:00
Signed-off-by: Matteo Collina <hello@matteocollina.com> (cherry picked from commit cb105d7)
diff --git a/lib/util/cache.js b/lib/util/cache.js
@@ -228,6 +228,10 @@ function parseCacheControlHeader (header) {
                 headers[headers.length - 1] = lastHeader
               }
 
+              for (let j = 0; j < headers.length; j++) {
+                headers[j] = headers[j].trim()
+              }
+
               if (key in output) {
                 output[key] = output[key].concat(headers)
               } else {
@@ -236,10 +240,12 @@ function parseCacheControlHeader (header) {
             }
           } else {
             // Something like `no-cache="some-header"`
+            const fieldName = value.trim()
+
             if (key in output) {
-              output[key] = output[key].concat(value)
+              output[key] = output[key].concat(fieldName)
             } else {
-              output[key] = [value]
+              output[key] = [fieldName]
             }
           }
 
diff --git a/test/cache-interceptor/utils.js b/test/cache-interceptor/utils.js
@@ -95,6 +95,37 @@ describe('parseCacheControlHeader', () => {
     })
   })
 
+  test('trims qualified no-cache and private field names', () => {
+    let directives = parseCacheControlHeader('private=" authorization"')
+    deepStrictEqual(directives, {
+      private: [
+        'authorization'
+      ]
+    })
+
+    directives = parseCacheControlHeader('no-cache="\tauthorization"')
+    deepStrictEqual(directives, {
+      'no-cache': [
+        'authorization'
+      ]
+    })
+
+    directives = parseCacheControlHeader('no-cache=authorization\t')
+    deepStrictEqual(directives, {
+      'no-cache': [
+        'authorization'
+      ]
+    })
+
+    directives = parseCacheControlHeader('private=" authorization, x-user\t"')
+    deepStrictEqual(directives, {
+      private: [
+        'authorization',
+        'x-user'
+      ]
+    })
+  })
+
   test('private with headers', () => {
     let directives = parseCacheControlHeader('max-age=10, private=some-header, only-if-cached')
     deepStrictEqual(directives, {
diff --git a/test/interceptors/cache.js b/test/interceptors/cache.js
@@ -2208,6 +2208,56 @@ describe('Cache Interceptor', () => {
       }
     })
 
+    test('does not cache response when request has Authorization and qualified no-cache/private names Authorization with OWS', async () => {
+      for (const cacheControl of [
+        'public, max-age=60, private=" authorization"',
+        'public, max-age=60, no-cache="\tauthorization"',
+        'public, max-age=60, no-cache=authorization\t'
+      ]) {
+        let requestsToOrigin = 0
+        const server = createServer({ joinDuplicateHeaders: true }, (_, res) => {
+          requestsToOrigin++
+          res.setHeader('cache-control', cacheControl)
+          res.end(`authenticated ${requestsToOrigin}`)
+        }).listen(0)
+
+        await once(server, 'listening')
+
+        const client = new Client(`http://localhost:${server.address().port}`)
+          .compose(interceptors.cache())
+
+        try {
+          const request = {
+            origin: 'localhost',
+            method: 'GET',
+            path: '/',
+            headers: {
+              authorization: 'Bearer token123'
+            }
+          }
+
+          {
+            const res = await client.request(request)
+            equal(requestsToOrigin, 1)
+            strictEqual(await res.body.text(), 'authenticated 1')
+          }
+
+          {
+            const res = await client.request({
+              origin: 'localhost',
+              method: 'GET',
+              path: '/'
+            })
+            equal(requestsToOrigin, 2)
+            strictEqual(await res.body.text(), 'authenticated 2')
+          }
+        } finally {
+          await client.close()
+          await new Promise(resolve => server.close(resolve))
+        }
+      }
+    })
+
     test('does not cache response when request has Authorization and response only has max-age', async () => {
       let requestsToOrigin = 0
       const server = createServer({ joinDuplicateHeaders: true }, (_, res) => {
diff --git a/test/issue-803.js b/test/issue-803.js
@@ -11,7 +11,9 @@ test('https://github.com/nodejs/undici/issues/803', { timeout: 60000 }, async (t
   const SIZE = 5900373096
 
   const server = createServer({ joinDuplicateHeaders: true }, async (req, res) => {
-    const chunkSize = res.writableHighWaterMark << 5
+    // Use large writes so this >32-bit Content-Length regression test does
+    // not monopolize loopback I/O when the unit suite runs concurrently.
+    const chunkSize = 16 * 1024 * 1024
     const parts = (SIZE / chunkSize) | 0
     const lastPartSize = SIZE % chunkSize
     const chunk = Buffer.allocUnsafe(chunkSize)

Original file line number	Diff line number	Diff line change
`@@ -228,6 +228,10 @@ function parseCacheControlHeader (header) {`
`228`	`228`	`headers[headers.length - 1] = lastHeader`
`229`	`229`	`}`
`230`	`230`
	`231`	`+ for (let j = 0; j < headers.length; j++) {`
	`232`	`+ headers[j] = headers[j].trim()`
	`233`	`+ }`
	`234`	`+`
`231`	`235`	`if (key in output) {`
`232`	`236`	`output[key] = output[key].concat(headers)`
`233`	`237`	`} else {`
`@@ -236,10 +240,12 @@ function parseCacheControlHeader (header) {`
`236`	`240`	`}`
`237`	`241`	`} else {`
`238`	`242`	// Something like `no-cache="some-header"`
	`243`	`+ const fieldName = value.trim()`
	`244`	`+`
`239`	`245`	`if (key in output) {`
`240`		`- output[key] = output[key].concat(value)`
	`246`	`+ output[key] = output[key].concat(fieldName)`
`241`	`247`	`} else {`
`242`		`- output[key] = [value]`
	`248`	`+ output[key] = [fieldName]`
`243`	`249`	`}`
`244`	`250`	`}`
`245`	`251`