From add48d7a5a8e40b802225d8cc995e1fbd68714f6 Mon Sep 17 00:00:00 2001 From: Andrea Mazzotti Date: Thu, 12 Oct 2023 14:29:55 +0200 Subject: [PATCH] HTML Escape path strings Signed-off-by: Andrea Mazzotti --- internal/api/elementalhost_controller.go | 23 ++++++++++--------- .../api/elementalregistration_controller.go | 5 ++-- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/internal/api/elementalhost_controller.go b/internal/api/elementalhost_controller.go index aed169e8..b9f2082a 100644 --- a/internal/api/elementalhost_controller.go +++ b/internal/api/elementalhost_controller.go @@ -3,6 +3,7 @@ package api import ( "encoding/json" "fmt" + "html" "net/http" "github.com/go-logr/logr" @@ -50,9 +51,9 @@ func (h *PatchElementalHostHandler) SetupOpenAPIOperation(oc openapi.OperationCo func (h *PatchElementalHostHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) { pathVars := mux.Vars(request) - namespace := pathVars["namespace"] - registrationName := pathVars["registrationName"] - hostName := pathVars["hostName"] + namespace := html.EscapeString(pathVars["namespace"]) + registrationName := html.EscapeString(pathVars["registrationName"]) + hostName := html.EscapeString(pathVars["hostName"]) logger := h.logger.WithValues(log.KeyNamespace, namespace). WithValues(log.KeyElementalRegistration, registrationName). @@ -184,8 +185,8 @@ func (h *PostElementalHostHandler) SetupOpenAPIOperation(oc openapi.OperationCon func (h *PostElementalHostHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) { pathVars := mux.Vars(request) - namespace := pathVars["namespace"] - registrationName := pathVars["registrationName"] + namespace := html.EscapeString(pathVars["namespace"]) + registrationName := html.EscapeString(pathVars["registrationName"]) logger := h.logger.WithValues(log.KeyNamespace, namespace). WithValues(log.KeyElementalRegistration, registrationName) @@ -277,9 +278,9 @@ func (h *DeleteElementalHostHandler) SetupOpenAPIOperation(oc openapi.OperationC func (h *DeleteElementalHostHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) { pathVars := mux.Vars(request) - namespace := pathVars["namespace"] - registrationName := pathVars["registrationName"] - hostName := pathVars["hostName"] + namespace := html.EscapeString(pathVars["namespace"]) + registrationName := html.EscapeString(pathVars["registrationName"]) + hostName := html.EscapeString(pathVars["hostName"]) logger := h.logger.WithValues(log.KeyNamespace, namespace). WithValues(log.KeyElementalRegistration, registrationName). @@ -363,9 +364,9 @@ func (h *GetElementalHostBootstrapHandler) SetupOpenAPIOperation(oc openapi.Oper func (h *GetElementalHostBootstrapHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) { pathVars := mux.Vars(request) - namespace := pathVars["namespace"] - registrationName := pathVars["registrationName"] - hostName := pathVars["hostName"] + namespace := html.EscapeString(pathVars["namespace"]) + registrationName := html.EscapeString(pathVars["registrationName"]) + hostName := html.EscapeString(pathVars["hostName"]) logger := h.logger.WithValues(log.KeyNamespace, namespace). WithValues(log.KeyElementalRegistration, registrationName). diff --git a/internal/api/elementalregistration_controller.go b/internal/api/elementalregistration_controller.go index 5cc5ec86..933fabf9 100644 --- a/internal/api/elementalregistration_controller.go +++ b/internal/api/elementalregistration_controller.go @@ -3,6 +3,7 @@ package api import ( "encoding/json" "fmt" + "html" "net/http" "github.com/go-logr/logr" @@ -45,8 +46,8 @@ func (h *GetElementalRegistrationHandler) SetupOpenAPIOperation(oc openapi.Opera func (h *GetElementalRegistrationHandler) ServeHTTP(response http.ResponseWriter, request *http.Request) { pathVars := mux.Vars(request) - namespace := pathVars["namespace"] - registrationName := pathVars["registrationName"] + namespace := html.EscapeString(pathVars["namespace"]) + registrationName := html.EscapeString(pathVars["registrationName"]) logger := h.logger.WithValues(log.KeyNamespace, namespace). WithValues(log.KeyElementalRegistration, registrationName)