From cd1aca217cf3b44bf4bc38ac71400ec6aa9bd579 Mon Sep 17 00:00:00 2001 From: Roman Khavronenko Date: Mon, 10 Jun 2024 16:55:59 +0200 Subject: [PATCH] lib/protoparser/opentelemetry/firehose: escape requestID before returning it to user (#6451) All user input should be sanitized before rendering. This should prevent possible attacks. See https://github.com/VictoriaMetrics/VictoriaMetrics/security/code-scanning/203 Signed-off-by: hagen1778 --- lib/protoparser/opentelemetry/firehose/http.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/protoparser/opentelemetry/firehose/http.go b/lib/protoparser/opentelemetry/firehose/http.go index a222e7279..d17b14a0d 100644 --- a/lib/protoparser/opentelemetry/firehose/http.go +++ b/lib/protoparser/opentelemetry/firehose/http.go @@ -2,6 +2,7 @@ package firehose import ( "fmt" + "html" "net/http" "time" ) @@ -12,11 +13,12 @@ import ( func WriteSuccessResponse(w http.ResponseWriter, r *http.Request) { requestID := r.Header.Get("X-Amz-Firehose-Request-Id") if requestID == "" { - // This isn't a AWS firehose request - just return an empty response in this case. + // This isn't an AWS firehose request - just return an empty response in this case. w.WriteHeader(http.StatusOK) return } + requestID = html.EscapeString(requestID) body := fmt.Sprintf(`{"requestId":%q,"timestamp":%d}`, requestID, time.Now().UnixMilli()) h := w.Header()