Fix CodeQL log injection warning
by removing newlines from logged user input.
This commit is contained in:
Maximilian Paß
committed by
Sebastian Serth
Sebastian Serth
parent
97a2311a74
commit
1e59c1146e
@ -27,7 +27,8 @@ func HTTPAuthenticationMiddleware(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
token := r.Header.Get(TokenHeader)
|
||||
if subtle.ConstantTimeCompare([]byte(token), correctAuthenticationToken) == 0 {
|
||||
log.WithField("token", token).Warn("Incorrect token")
|
||||
log.WithField("token", logging.RemoveNewlineSymbol(token)).
|
||||
Warn("Incorrect token")
|
||||
w.WriteHeader(http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
@ -8,10 +8,12 @@ import (
|
||||
"github.com/openHPI/poseidon/internal/config"
|
||||
"github.com/openHPI/poseidon/internal/runner"
|
||||
"github.com/openHPI/poseidon/pkg/dto"
|
||||
"github.com/openHPI/poseidon/pkg/logging"
|
||||
"github.com/openHPI/poseidon/pkg/monitoring"
|
||||
"io"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
const (
|
||||
@ -58,7 +60,8 @@ func (r *RunnerController) provide(writer http.ResponseWriter, request *http.Req
|
||||
case errors.Is(err, runner.ErrUnknownExecutionEnvironment):
|
||||
writeNotFound(writer, err)
|
||||
case errors.Is(err, runner.ErrNoRunnersAvailable):
|
||||
log.WithField("environment", environmentID).Warn("No runners available")
|
||||
log.WithField("environment", logging.RemoveNewlineSymbol(strconv.Itoa(int(environmentID)))).
|
||||
Warn("No runners available")
|
||||
writeInternalServerError(writer, err, dto.ErrorNomadOverload)
|
||||
default:
|
||||
writeInternalServerError(writer, err, dto.ErrorUnknown)
|
||||
|
||||
@ -8,6 +8,7 @@ import (
|
||||
"github.com/gorilla/websocket"
|
||||
"github.com/openHPI/poseidon/internal/runner"
|
||||
"github.com/openHPI/poseidon/pkg/dto"
|
||||
"github.com/openHPI/poseidon/pkg/logging"
|
||||
"github.com/openHPI/poseidon/pkg/monitoring"
|
||||
"io"
|
||||
"net/http"
|
||||
@ -357,7 +358,9 @@ func (r *RunnerController) connectToRunner(writer http.ResponseWriter, request *
|
||||
return
|
||||
}
|
||||
|
||||
log.WithField("runnerId", targetRunner.ID()).WithField("executionID", executionID).Info("Running execution")
|
||||
log.WithField("runnerId", targetRunner.ID()).
|
||||
WithField("executionID", logging.RemoveNewlineSymbol(executionID)).
|
||||
Info("Running execution")
|
||||
exit, cancel, err := targetRunner.ExecuteInteractively(executionID, proxy.Stdin, proxy.Stdout, proxy.Stderr)
|
||||
if err != nil {
|
||||
proxy.closeWithError(fmt.Sprintf("execution failed with: %v", err))
|
||||
|
||||
Reference in New Issue
Block a user