htwkmooc/poseidon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix CodeQL log injection warning

Browse Source 
by removing newlines from logged user input.
This commit is contained in:
Maximilian Paß
2022-06-01 18:21:41 +02:00
committed by Sebastian Serth
parent 97a2311a74
commit 1e59c1146e
4 changed files with 20 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/logging/logging.go
View File

@ -8,6 +8,7 @@ import (
"net"
"net/http"
"os"
"strings"
"time"
)
@ -70,7 +71,7 @@ func (writer *loggingResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, erro
func HTTPLoggingMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
start := time.Now().UTC()
path := r.URL.Path
path := RemoveNewlineSymbol(r.URL.Path)
lrw := NewLoggingResponseWriter(w)
next.ServeHTTP(lrw, r)
@ -81,7 +82,7 @@ func HTTPLoggingMiddleware(next http.Handler) http.Handler {
"method": r.Method,
"path": path,
"duration": latency,
"user_agent": r.UserAgent(),
"user_agent": RemoveNewlineSymbol(r.UserAgent()),
})
if lrw.StatusCode >= http.StatusInternalServerError {
logEntry.Error("Failing " + path)
@ -90,3 +91,10 @@ func HTTPLoggingMiddleware(next http.Handler) http.Handler {
}
})
}
// RemoveNewlineSymbol GOOD: remove newlines from user controlled input before logging
func RemoveNewlineSymbol(data string) string {
data = strings.ReplaceAll(data, "\r", "")
data = strings.ReplaceAll(data, "\n", "")
return data
}