From 0d73dd811fef4d0c910cb22cf8c503678cb8b62f Mon Sep 17 00:00:00 2001
From: Nagarajan Mani <namani@microsoft.com>
Date: Wed, 4 Dec 2024 13:30:36 -0800
Subject: [PATCH 1/4] Codeql : Fixed the bug to not to expose the sensitive
 exception details in the response

---
 .../Management/VirtualFileSystem.cs           | 41 ++++++++++++++++---
 1 file changed, 35 insertions(+), 6 deletions(-)

diff --git a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
index 6fb3e3a5a0..5e065d0f30 100644
--- a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
+++ b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
@@ -464,8 +464,7 @@ protected Task<HttpResponseMessage> CreateFileDeleteResponse(HttpRequest request
 
         /// <summary>
         /// Indicates whether this is a conditional range request containing an
-        /// If-Range header with a matching etag and a Range header indicating the
-        /// desired ranges
+        /// If-Range header with a matching etag and a Range header indicating the desired ranges.
         /// </summary>
         protected bool IsRangeRequest(HttpRequest request, Net.Http.Headers.EntityTagHeaderValue currentEtag)
         {
@@ -531,7 +530,7 @@ private static Stream GetFileDeleteStream(FileInfoBase file)
         }
 
         /// <summary>
-        /// Create unique etag based on the last modified UTC time
+        /// Create unique etag based on the last modified UTC time.
         /// </summary>
         private static Microsoft.Net.Http.Headers.EntityTagHeaderValue CreateEntityTag(FileSystemInfoBase sysInfo)
         {
@@ -641,10 +640,40 @@ private IEnumerable<VfsStatEntry> GetDirectoryResponse(HttpRequest request, File
         protected HttpResponseMessage CreateResponse(HttpStatusCode statusCode, object payload = null)
         {
             var response = new HttpResponseMessage(statusCode);
-            if (payload != null)
+            try
+            {
+                if (payload != null)
+                {
+                    // Use safe serialization settings
+                    var jsonSerializerSettings = new JsonSerializerSettings
+                    {
+                        NullValueHandling = NullValueHandling.Ignore,
+                        DefaultValueHandling = DefaultValueHandling.Include,
+                        Formatting = Formatting.None
+                    };
+
+                    // Sanitize the payload if it's an object
+                    var content = payload is string ? payload as string : JsonConvert.SerializeObject(payload, jsonSerializerSettings);
+                    response.Content = new StringContent(content, Encoding.UTF8, "application/json");
+                }
+            }
+            catch (JsonSerializationException je)
             {
-                var content = payload is string ? payload as string : JsonConvert.SerializeObject(payload);
-                response.Content = new StringContent(content, Encoding.UTF8, "application/json");
+                // Return a generic error message to avoid exposing sensitive details
+                _logger.LogError(je, je.Message);
+                response = new HttpResponseMessage(HttpStatusCode.InternalServerError)
+                {
+                    Content = new StringContent("An error occurred while processing the response payload.", Encoding.UTF8, "text/plain")
+                };
+            }
+            catch (Exception ex)
+            {
+                // Return a generic error message to avoid exposing sensitive details
+                _logger.LogError(ex, ex.Message);
+                response = new HttpResponseMessage(HttpStatusCode.InternalServerError)
+                {
+                    Content = new StringContent("An unexpected error occurred.", Encoding.UTF8, "text/plain")
+                };
             }
             return response;
         }

From 981b9f4203e682cb4088b2ad26202431f2955c5e Mon Sep 17 00:00:00 2001
From: Nagarajan Mani <namani@microsoft.com>
Date: Thu, 5 Dec 2024 11:19:32 -0800
Subject: [PATCH 2/4] Checking the payload object is exception to remove
 sensitive details

---
 src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
index 5e065d0f30..382783c003 100644
--- a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
+++ b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
@@ -652,6 +652,9 @@ protected HttpResponseMessage CreateResponse(HttpStatusCode statusCode, object p
                         Formatting = Formatting.None
                     };
 
+                    // Check if the payload is a string or an exception
+                    payload = payload is string ? payload as string : payload is Exception ? (payload as Exception).Message : payload;
+
                     // Sanitize the payload if it's an object
                     var content = payload is string ? payload as string : JsonConvert.SerializeObject(payload, jsonSerializerSettings);
                     response.Content = new StringContent(content, Encoding.UTF8, "application/json");

From a6cd0a5418f7a6761ed82d146cefa09cd8bd43bd Mon Sep 17 00:00:00 2001
From: Nagarajan Mani <namani@microsoft.com>
Date: Thu, 19 Dec 2024 14:41:18 -0800
Subject: [PATCH 3/4] simplified the payload

---
 src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
index 382783c003..655e850784 100644
--- a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
+++ b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
@@ -653,7 +653,12 @@ protected HttpResponseMessage CreateResponse(HttpStatusCode statusCode, object p
                     };
 
                     // Check if the payload is a string or an exception
-                    payload = payload is string ? payload as string : payload is Exception ? (payload as Exception).Message : payload;
+                    payload = payload switch
+                    {
+                        string str => str,
+                        Exception ex => ex.Message,
+                        _ => payload
+                    };
 
                     // Sanitize the payload if it's an object
                     var content = payload is string ? payload as string : JsonConvert.SerializeObject(payload, jsonSerializerSettings);

From 7120ef07e9d70147a85f692f37f2c000de9984fd Mon Sep 17 00:00:00 2001
From: Nagarajan Mani <namani@microsoft.com>
Date: Thu, 19 Dec 2024 14:46:18 -0800
Subject: [PATCH 4/4] simplified the code using switch expression

---
 src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
index 655e850784..9ed5fbeacb 100644
--- a/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
+++ b/src/WebJobs.Script.WebHost/Management/VirtualFileSystem.cs
@@ -661,7 +661,11 @@ protected HttpResponseMessage CreateResponse(HttpStatusCode statusCode, object p
                     };
 
                     // Sanitize the payload if it's an object
-                    var content = payload is string ? payload as string : JsonConvert.SerializeObject(payload, jsonSerializerSettings);
+                    var content = payload switch
+                    {
+                        string str => str,
+                        _ => JsonConvert.SerializeObject(payload, jsonSerializerSettings)
+                    };
                     response.Content = new StringContent(content, Encoding.UTF8, "application/json");
                 }
             }