fix(integrations): Validate webhook header count and name characters

Two gaps in the custom webhook headers validator:

- No upper bound on the number of headers allowed a user to configure
  hundreds, inflating every outgoing webhook request and the stored
  ArrayField without limit. Cap at 20.
- Header names were only checked for CR/LF (header injection) but not
  for RFC 7230 token characters. urllib3 does not validate names before
  sending, so a control character embedded in an x-* name (e.g.
  X-Evil\x01Header) would be sent verbatim. Add _HTTP_TOKEN_RE to
  enforce the token character set after partitioning the name.

Three new tests cover the count limit, a control-character name, and a
space in a header name.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: billyvg

src/sentry/sentry_apps/api/parsers/sentry_app.py

@@ -1,4 +1,5 @@
 import logging
+import re
 
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field, extend_schema_serializer
@@ -19,6 +20,10 @@
 # and common custom-header names. Names are compared case-insensitively.
 ALLOWED_WEBHOOK_HEADERS = frozenset({"authorization", "user-agent", "accept", "date", "prefer"})
 
+# RFC 7230 §3.2.6 — header field names are "tokens": letters, digits, and
+# the limited punctuation set below. Excludes separators and control chars.
+_HTTP_TOKEN_RE = re.compile(r"^[!#$%&'*+\-.^_`|~A-Za-z0-9]+$")
+
 # Headers Sentry owns, or transport/proxy identity headers that must not be
 # user-controlled. The "sentry-hook" prefix is also blocked.
 RESERVED_WEBHOOK_HEADERS = frozenset(
@@ -226,6 +231,8 @@ def validate_allowedOrigins(self, value):
         return value
 
     def validate_webhookHeaders(self, value):
+        if len(value) > 20:
+            raise ValidationError("Cannot configure more than 20 custom webhook headers.")
         seen_names = set()
         for header in value:
             # Reject CR/LF to prevent header injection / request splitting.
@@ -237,6 +244,11 @@ def validate_webhookHeaders(self, value):
                 raise ValidationError(
                     f"Invalid webhook header '{header}'. Use the format 'Header-Name: value'."
                 )
+            if not _HTTP_TOKEN_RE.match(name):
+                raise ValidationError(
+                    f"'{name}' contains invalid characters. Header names must only use "
+                    "letters, digits, and the punctuation characters !#$%&'*+-.^_`|~"
+                )
             normalized = name.lower()
             if normalized in RESERVED_WEBHOOK_HEADERS or normalized.startswith(
                 RESERVED_WEBHOOK_HEADER_PREFIXES

tests/sentry/sentry_apps/api/endpoints/test_sentry_apps.py

@@ -824,6 +824,24 @@ def test_create_integration_with_duplicate_webhook_header(self) -> None:
         )
         assert "webhookHeaders" in response.data
 
+    def test_create_integration_with_too_many_webhook_headers(self) -> None:
+        headers = [f"X-Header-{i}: value" for i in range(21)]
+        response = self.get_error_response(**self.get_data(webhookHeaders=headers), status_code=400)
+        assert "webhookHeaders" in response.data
+
+    def test_create_integration_with_invalid_header_name_chars(self) -> None:
+        # Control characters in header names are not valid RFC 7230 tokens.
+        response = self.get_error_response(
+            **self.get_data(webhookHeaders=["X-Evil\x01Header: value"]), status_code=400
+        )
+        assert "webhookHeaders" in response.data
+
+    def test_create_integration_with_space_in_header_name(self) -> None:
+        response = self.get_error_response(
+            **self.get_data(webhookHeaders=["X Bad Name: value"]), status_code=400
+        )
+        assert "webhookHeaders" in response.data
+
     def test_members_cant_create(self) -> None:
         # create extra owner because we are demoting one
         self.create_member(organization=self.organization, user=self.create_user(), role="owner")