From bd5d225a94a3e2086101bda5754fc979dc6e36bb Mon Sep 17 00:00:00 2001
From: Anthony Rubick <68485672+AnthonyMichaelTDM@users.noreply.github.com>
Date: Fri, 1 Aug 2025 02:12:50 -0700
Subject: [PATCH] fix: out of bounds index when rewriting websocket headers

---
 src/mod/dynamicproxy/rewrite/rewrite.go  | 4 ++++
 src/mod/websocketproxy/websocketproxy.go | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/src/mod/dynamicproxy/rewrite/rewrite.go b/src/mod/dynamicproxy/rewrite/rewrite.go
index 52583d4..9b9dd53 100644
--- a/src/mod/dynamicproxy/rewrite/rewrite.go
+++ b/src/mod/dynamicproxy/rewrite/rewrite.go
@@ -75,5 +75,9 @@ func SplitUpDownStreamHeaders(rewriteOptions *HeaderRewriteOptions) ([][]string,
 		downstreamHeaderCounter++
 	}
 
+	// Slice the arrays to only include the filled portions to prevent nil slice access
+	upstreamHeaders = upstreamHeaders[:upstreamHeaderCounter]
+	downstreamHeaders = downstreamHeaders[:downstreamHeaderCounter]
+
 	return upstreamHeaders, downstreamHeaders
 }
diff --git a/src/mod/websocketproxy/websocketproxy.go b/src/mod/websocketproxy/websocketproxy.go
index e116c18..386349f 100644
--- a/src/mod/websocketproxy/websocketproxy.go
+++ b/src/mod/websocketproxy/websocketproxy.go
@@ -211,6 +211,10 @@ func (w *WebsocketProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			UserDefinedHeaders: rewrittenUserDefinedHeaders,
 		})
 		for _, headerValuePair := range upstreamHeaders {
+			//Skip empty header pairs
+			if len(headerValuePair) < 2 {
+				continue
+			}
 			//Do not copy Upgrade and Connection headers, it will be handled by the upgrader
 			if strings.EqualFold(headerValuePair[0], "Upgrade") || strings.EqualFold(headerValuePair[0], "Connection") {
 				continue