Prevent potential reflected Cross-Site Scripting attack (XSS) CWE-79

ottogroup · Apr 17, 2024 · 9f9ad25 · 9f9ad25
1 parent cb57374
commit 9f9ad25
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/ottogroup/penelope
 require (
 	cloud.google.com/go v0.112.2
 	cloud.google.com/go/bigquery v1.60.0
+	cloud.google.com/go/iam v1.1.7
 	cloud.google.com/go/logging v1.9.0
 	cloud.google.com/go/monitoring v1.18.1
 	cloud.google.com/go/storage v1.40.0
@@ -24,12 +25,12 @@ require (
 	google.golang.org/protobuf v1.33.0
 	gopkg.in/dc0d/tinykv.v4 v4.0.1
 	gopkg.in/yaml.v2 v2.4.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
 	cloud.google.com/go/compute v1.25.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v1.1.7 // indirect
 	cloud.google.com/go/longrunning v0.5.6 // indirect
 	cloud.google.com/go/trace v1.10.6 // indirect
 	github.com/apache/arrow/go/v14 v14.0.2 // indirect
@@ -78,7 +79,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20240401170217-c3f982113cda // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240401170217-c3f982113cda // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	mellium.im/sasl v0.3.1 // indirect
 )
 

diff --git a/pkg/http/actions/getting.go b/pkg/http/actions/getting.go
@@ -2,6 +2,7 @@ package actions
 
 import (
 	"fmt"
+	"html"
 	"net/http"
 	"strconv"
 
@@ -58,6 +59,7 @@ func (dl *GettingBackupHandler) ServeHTTP(w http.ResponseWriter, r *http.Request
 func BadRequestResponse(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusBadRequest)
 	if _, err := fmt.Fprintf(w, "Unkown api endpoint %s", r.URL.Path); err != nil {
-		glog.Warningf("Error writing response for %s: %s", r.URL.Path, err)
+		escapedPath := html.EscapeString(r.URL.Path)
+		glog.Warningf("Error writing response for %s: %s", escapedPath, err)
 	}
 }
diff --git a/pkg/http/rest/api.go b/pkg/http/rest/api.go
@@ -2,6 +2,7 @@ package rest
 
 import (
 	"fmt"
+	"html"
 	"net/http"
 	"net/http/httputil"
 
@@ -173,8 +174,9 @@ func (a *API) Register() {
 func notImplementedHandler() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusNotImplemented)
-		if _, err := fmt.Fprintf(w, "Unkown api endpoint %s", r.URL.Path); err != nil {
-			glog.Warningf("Error writing response for %s: %s", r.URL.Path, err)
+		escapedPath := html.EscapeString(r.URL.Path)
+		if _, err := fmt.Fprintf(w, "Unkown api endpoint %s", escapedPath); err != nil {
+			glog.Warningf("Error writing response for %s: %s", escapedPath, err)
 		}
 	})
 }