github-mirrors/VictoriaMetrics
1
0
Fork 0
mirror of https://github.com/VictoriaMetrics/VictoriaMetrics.git synced 2024-11-21 14:44:00 +00:00
Code Issues Projects Releases Packages Wiki Activity

lib/protoparser/opentelemetry/firehose: escape requestID before returning it to user (#6451)

Browse source 
All user input should be sanitized before rendering. This should prevent
possible attacks. See
https://github.com/VictoriaMetrics/VictoriaMetrics/security/code-scanning/203

Signed-off-by: hagen1778 <roman@victoriametrics.com>
This commit is contained in:
Roman Khavronenko 2024-06-10 16:55:59 +02:00 committed by GitHub
parent 253c0cffbe
commit cd1aca217c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/protoparser/opentelemetry/firehose/http.go
View file

@ -2,6 +2,7 @@ package firehose
import ( import (
"fmt" "fmt"
"html"
"net/http" "net/http"
"time" "time"
) )
@ -12,11 +13,12 @@ import (
func WriteSuccessResponse(w http.ResponseWriter, r *http.Request) { func WriteSuccessResponse(w http.ResponseWriter, r *http.Request) {
requestID := r.Header.Get("X-Amz-Firehose-Request-Id") requestID := r.Header.Get("X-Amz-Firehose-Request-Id")
if requestID == "" { if requestID == "" {
// This isn't a AWS firehose request - just return an empty response in this case. // This isn't an AWS firehose request - just return an empty response in this case.
w.WriteHeader(http.StatusOK) w.WriteHeader(http.StatusOK)
return return
} }
requestID = html.EscapeString(requestID)
body := fmt.Sprintf(`{"requestId":%q,"timestamp":%d}`, requestID, time.Now().UnixMilli()) body := fmt.Sprintf(`{"requestId":%q,"timestamp":%d}`, requestID, time.Now().UnixMilli())
h := w.Header() h := w.Header()