devenv: Solving two of the code scanning fails (#43084)

* Solving two of the code scanning fails

Removes new lines from user input that is logged. Fixes CWE-117 from CodeQL

* remove newlines from request headers

* mask cookie value in header

* comment out logging of headers to solve CWE-117

Instructions added on uncommenting the log statement and on rebuilding the docker container
This commit is contained in:
Daniel Lee 2021-12-21 11:36:21 +01:00 committed by GitHub
parent 1008d46304
commit e993f0c62e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 2 deletions

View File

@ -6,6 +6,7 @@ import (
"io/ioutil"
"log"
"net/http"
"strings"
)
func hello(w http.ResponseWriter, r *http.Request) {
@ -14,7 +15,8 @@ func hello(w http.ResponseWriter, r *http.Request) {
return
}
line := fmt.Sprintf("webbhook: -> %s", string(body))
safeBody := strings.Replace(string(body), "\n", "", -1)
line := fmt.Sprintf("webbhook: -> %s", safeBody)
fmt.Println(line)
if _, err := io.WriteString(w, line); err != nil {
log.Printf("Failed to write: %v", err)

View File

@ -6,6 +6,7 @@ import (
"net/http/httputil"
"net/url"
"os"
"strings"
"time"
)
@ -31,7 +32,17 @@ func main() {
proxy := httputil.NewSingleHostReverseProxy(originURL)
http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
log.Printf("sleeping for %s then proxying request: url '%s', headers: '%v'", sleep.String(), r.RequestURI, r.Header)
safeSleep := strings.Replace(sleep.String(), "\n", "", -1)
safeRequestUri := strings.Replace(r.RequestURI, "\n", "", -1)
log.Printf("sleeping for %s then proxying request: url '%s'", safeSleep, safeRequestUri)
// This is commented out as CodeQL flags this as vulnerability CWE-117 (https://cwe.mitre.org/data/definitions/117.html)
// If you need to debug and log the headers then use the line below instead of the log.Printf statement above
// The docker container will then need to be rebuilt after the change is made:
// Run `make devenv sources=slow_proxy`
// or run `docker-compose build` in the devenv folder
//
// log.Printf("sleeping for %s then proxying request: url '%s', headers: '%v'", safeSleep, safeRequestUri, r.Header)
<-time.After(sleep)
proxy.ServeHTTP(w, r)
})