HTML Escape path strings

Signed-off-by: Andrea Mazzotti <[email protected]>
rancher-sandbox · Oct 12, 2023 · add48d7 · add48d7
1 parent 83fe08b
commit add48d7
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 13 deletions.
diff --git a/internal/api/elementalhost_controller.go b/internal/api/elementalhost_controller.go
@@ -3,6 +3,7 @@ package api
 import (
 	"encoding/json"
 	"fmt"
+	"html"
 	"net/http"
 
 	"github.com/go-logr/logr"
@@ -50,9 +51,9 @@ func (h *PatchElementalHostHandler) SetupOpenAPIOperation(oc openapi.OperationCo
 
 func (h *PatchElementalHostHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) {
 	pathVars := mux.Vars(request)
-	namespace := pathVars["namespace"]
-	registrationName := pathVars["registrationName"]
-	hostName := pathVars["hostName"]
+	namespace := html.EscapeString(pathVars["namespace"])
+	registrationName := html.EscapeString(pathVars["registrationName"])
+	hostName := html.EscapeString(pathVars["hostName"])
 
 	logger := h.logger.WithValues(log.KeyNamespace, namespace).
 		WithValues(log.KeyElementalRegistration, registrationName).
@@ -184,8 +185,8 @@ func (h *PostElementalHostHandler) SetupOpenAPIOperation(oc openapi.OperationCon
 
 func (h *PostElementalHostHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) {
 	pathVars := mux.Vars(request)
-	namespace := pathVars["namespace"]
-	registrationName := pathVars["registrationName"]
+	namespace := html.EscapeString(pathVars["namespace"])
+	registrationName := html.EscapeString(pathVars["registrationName"])
 
 	logger := h.logger.WithValues(log.KeyNamespace, namespace).
 		WithValues(log.KeyElementalRegistration, registrationName)
@@ -277,9 +278,9 @@ func (h *DeleteElementalHostHandler) SetupOpenAPIOperation(oc openapi.OperationC
 
 func (h *DeleteElementalHostHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) {
 	pathVars := mux.Vars(request)
-	namespace := pathVars["namespace"]
-	registrationName := pathVars["registrationName"]
-	hostName := pathVars["hostName"]
+	namespace := html.EscapeString(pathVars["namespace"])
+	registrationName := html.EscapeString(pathVars["registrationName"])
+	hostName := html.EscapeString(pathVars["hostName"])
 
 	logger := h.logger.WithValues(log.KeyNamespace, namespace).
 		WithValues(log.KeyElementalRegistration, registrationName).
@@ -363,9 +364,9 @@ func (h *GetElementalHostBootstrapHandler) SetupOpenAPIOperation(oc openapi.Oper
 
 func (h *GetElementalHostBootstrapHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) {
 	pathVars := mux.Vars(request)
-	namespace := pathVars["namespace"]
-	registrationName := pathVars["registrationName"]
-	hostName := pathVars["hostName"]
+	namespace := html.EscapeString(pathVars["namespace"])
+	registrationName := html.EscapeString(pathVars["registrationName"])
+	hostName := html.EscapeString(pathVars["hostName"])
 
 	logger := h.logger.WithValues(log.KeyNamespace, namespace).
 		WithValues(log.KeyElementalRegistration, registrationName).

diff --git a/internal/api/elementalregistration_controller.go b/internal/api/elementalregistration_controller.go
@@ -3,6 +3,7 @@ package api
 import (
 	"encoding/json"
 	"fmt"
+	"html"
 	"net/http"
 
 	"github.com/go-logr/logr"
@@ -45,8 +46,8 @@ func (h *GetElementalRegistrationHandler) SetupOpenAPIOperation(oc openapi.Opera
 
 func (h *GetElementalRegistrationHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) {
 	pathVars := mux.Vars(request)
-	namespace := pathVars["namespace"]
-	registrationName := pathVars["registrationName"]
+	namespace := html.EscapeString(pathVars["namespace"])
+	registrationName := html.EscapeString(pathVars["registrationName"])
 
 	logger := h.logger.WithValues(log.KeyNamespace, namespace).
 		WithValues(log.KeyElementalRegistration, registrationName)