From b80dcf206312adc7e7283f35c5173d915efd7cae Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Wed, 27 Nov 2024 16:25:43 +0000
Subject: [PATCH 1/3] libvirt: Fix security bug with conversion

Incorrect conversion of an unsigned 64-bit integer from  to a lower bit size type uint32 without an upper bound check.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 src/cloud-providers/libvirt/libvirt.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/cloud-providers/libvirt/libvirt.go b/src/cloud-providers/libvirt/libvirt.go
index a68fae40d..e7b223125 100644
--- a/src/cloud-providers/libvirt/libvirt.go
+++ b/src/cloud-providers/libvirt/libvirt.go
@@ -647,7 +647,7 @@ func CreateDomain(ctx context.Context, libvirtClient *libvirtClient, v *vmConfig
 func DeleteDomain(ctx context.Context, libvirtClient *libvirtClient, id string) (err error) {
 
 	logger.Printf("Deleting instance (%s)", id)
-	idUint, _ := strconv.ParseUint(id, 10, 64)
+	idUint, _ := strconv.ParseUint(id, 10, 32)
 	// libvirt API takes uint32
 	exists, err := checkDomainExistsById(uint32(idUint), libvirtClient)
 	if err != nil {

From eba1d128b7a4b1833640408bd7cca0593b3b2441 Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Wed, 27 Nov 2024 17:10:07 +0000
Subject: [PATCH 2/3] securecomms: Fix reflected XSS issue

I think this is low risk as it's in test code, but CodeQL throw the warning:
> Directly writing user input (for example, an HTTP request parameter) to
> an HTTP response without properly sanitizing the input first, allows for
> a cross-site scripting vulnerability.

so we might as well try and fix it.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 src/cloud-api-adaptor/test/securecomms/test/kbs.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/cloud-api-adaptor/test/securecomms/test/kbs.go b/src/cloud-api-adaptor/test/securecomms/test/kbs.go
index 3ec6d700b..1a8f2b328 100644
--- a/src/cloud-api-adaptor/test/securecomms/test/kbs.go
+++ b/src/cloud-api-adaptor/test/securecomms/test/kbs.go
@@ -3,6 +3,7 @@ package test
 import (
 	"context"
 	"fmt"
+	"html"
 	"io"
 	"log"
 	"net"
@@ -29,7 +30,7 @@ func (p kbsport) getRoot(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "Not Found", http.StatusNotFound)
 			return
 		}
-		_, err := w.Write(keyMaterial)
+		_, err := w.Write([]byte(html.EscapeString(string(keyMaterial))))
 		if err != nil {
 			http.Error(w, "cant write response", http.StatusInternalServerError)
 			return

From 20b5076f7972b4fd6061519edc6faad058b7565e Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Wed, 27 Nov 2024 17:13:52 +0000
Subject: [PATCH 3/3] test/e2e: ibmcloud: Security alert

CodeQL is throwing up a high severity error:
> Sensitive information that is logged unencrypted is
> accessible to an attacker who gains access to the logs.

Longer term we might want to log selective fields, or
provider a way to just hide the sensitive fields, but for now
I've just removed the debug logs that expose things like API Keys

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 .../test/provisioner/ibmcloud/provision_initializer.go          | 2 --
 .../test/provisioner/ibmcloud/provision_kustomize.go            | 1 -
 2 files changed, 3 deletions(-)

diff --git a/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_initializer.go b/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_initializer.go
index f67ef8021..b241498eb 100644
--- a/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_initializer.go
+++ b/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_initializer.go
@@ -132,8 +132,6 @@ func InitIBMCloudProperties(properties map[string]string) error {
 		IBMCloudProps.IsSelfManaged = true
 	}
 
-	log.Debugf("%+v", IBMCloudProps)
-
 	if len(IBMCloudProps.ResourceGroupID) <= 0 {
 		log.Info("[warning] RESOURCE_GROUP_ID was not set.")
 	}
diff --git a/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_kustomize.go b/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_kustomize.go
index 126a76a36..bab8710f1 100644
--- a/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_kustomize.go
+++ b/src/cloud-api-adaptor/test/provisioner/ibmcloud/provision_kustomize.go
@@ -133,7 +133,6 @@ func (lio *IBMCloudInstallOverlay) Delete(ctx context.Context, cfg *envconf.Conf
 
 // Update install/overlays/ibmcloud/kustomization.yaml
 func (lio *IBMCloudInstallOverlay) Edit(ctx context.Context, cfg *envconf.Config, properties map[string]string) error {
-	log.Debugf("%+v", properties)
 	var err error
 
 	// image