Polluting the Response object from a malicious content-type value

[julienw]

Hi!

I was looking at the source code (to build a flow libdef for the project), and found this line: https://github.com/visionmedia/superagent/blob/db35cdcdb4c9ed388679034dfaceec8e0f41144c/src/response-base.js#L76

My concern is that I believe it can be abused by a rogue server to override existing properties on the object.

I'm not a security expert so I don't know what the implications are or could be.

What's your analysis?

[julienw]

If we're interested in charset maybe we should whitelist it?