mirror of
https://github.com/grafana/grafana.git
synced 2025-02-25 18:55:37 -06:00
devenv: Solving two of the code scanning fails (#43084)
* Solving two of the code scanning fails Removes new lines from user input that is logged. Fixes CWE-117 from CodeQL * remove newlines from request headers * mask cookie value in header * comment out logging of headers to solve CWE-117 Instructions added on uncommenting the log statement and on rebuilding the docker container
This commit is contained in:
parent
1008d46304
commit
e993f0c62e
@ -6,6 +6,7 @@ import (
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"net/http"
|
||||
"strings"
|
||||
)
|
||||
|
||||
func hello(w http.ResponseWriter, r *http.Request) {
|
||||
@ -14,7 +15,8 @@ func hello(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
line := fmt.Sprintf("webbhook: -> %s", string(body))
|
||||
safeBody := strings.Replace(string(body), "\n", "", -1)
|
||||
line := fmt.Sprintf("webbhook: -> %s", safeBody)
|
||||
fmt.Println(line)
|
||||
if _, err := io.WriteString(w, line); err != nil {
|
||||
log.Printf("Failed to write: %v", err)
|
||||
|
@ -6,6 +6,7 @@ import (
|
||||
"net/http/httputil"
|
||||
"net/url"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
)
|
||||
|
||||
@ -31,7 +32,17 @@ func main() {
|
||||
proxy := httputil.NewSingleHostReverseProxy(originURL)
|
||||
|
||||
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
|
||||
log.Printf("sleeping for %s then proxying request: url '%s', headers: '%v'", sleep.String(), r.RequestURI, r.Header)
|
||||
safeSleep := strings.Replace(sleep.String(), "\n", "", -1)
|
||||
safeRequestUri := strings.Replace(r.RequestURI, "\n", "", -1)
|
||||
log.Printf("sleeping for %s then proxying request: url '%s'", safeSleep, safeRequestUri)
|
||||
|
||||
// This is commented out as CodeQL flags this as vulnerability CWE-117 (https://cwe.mitre.org/data/definitions/117.html)
|
||||
// If you need to debug and log the headers then use the line below instead of the log.Printf statement above
|
||||
// The docker container will then need to be rebuilt after the change is made:
|
||||
// Run `make devenv sources=slow_proxy`
|
||||
// or run `docker-compose build` in the devenv folder
|
||||
//
|
||||
// log.Printf("sleeping for %s then proxying request: url '%s', headers: '%v'", safeSleep, safeRequestUri, r.Header)
|
||||
<-time.After(sleep)
|
||||
proxy.ServeHTTP(w, r)
|
||||
})
|
||||
|
Loading…
Reference in New Issue
Block a user