Fix most of the issues CodeQL dislikes (#12)

* Fix most of the issues CodeQL dislikes * Escape ipAddr closer to source
jordemort · Nov 5, 2022 · 4cea39d · 4cea39d
1 parent c7b6e99
commit 4cea39d
Showing 1 changed file with 15 additions and 10 deletions.
diff --git a/internal/server.go b/internal/server.go
@@ -1,7 +1,6 @@
 package tfa
 
 import (
-	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -23,6 +22,12 @@ func NewServer() *Server {
 	return s
 }
 
+func escapeNewlines(data string) string {
+	escapedData := strings.Replace(data, "\n", "", -1)
+	escapedData = strings.Replace(escapedData, "\r", "", -1)
+	return escapedData
+}
+
 func (s *Server) buildRoutes() {
 	var err error
 	s.muxer, err = mux.NewMuxer()
@@ -86,7 +91,7 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc {
 		// Logging setup
 		logger := s.logger(r, "Auth", rule, "Authenticating request")
 
-		ipAddr := r.Header.Get("X-Forwarded-For")
+		ipAddr := escapeNewlines(r.Header.Get("X-Forwarded-For"))
 		if ipAddr == "" {
 			logger.Warn("missing x-forwarded-for header")
 		} else {
@@ -123,8 +128,8 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc {
 		// Validate user
 		valid := ValidateUser(user, rule)
 		if !valid {
-			logger.WithField("user", user).Warn("Invalid user")
-			http.Error(w, fmt.Sprintf("User '%s' is not authorized", user), 401)
+			logger.WithField("user", escapeNewlines(user)).Warn("Invalid user")
+			http.Error(w, "User is not authorized", 401)
 			return
 		}
 
@@ -142,7 +147,7 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 		logger := s.logger(r, "AuthCallback", "default", "Handling callback")
 
 		// Check state
-		state := r.URL.Query().Get("state")
+		state := escapeNewlines(r.URL.Query().Get("state"))
 		if err := ValidateState(state); err != nil {
 			logger.WithFields(logrus.Fields{
 				"error": err,
@@ -271,11 +276,11 @@ func (s *Server) logger(r *http.Request, handler, rule, msg string) *logrus.Entr
 	logger := log.WithFields(logrus.Fields{
 		"handler":   handler,
 		"rule":      rule,
-		"method":    r.Header.Get("X-Forwarded-Method"),
-		"proto":     r.Header.Get("X-Forwarded-Proto"),
-		"host":      r.Header.Get("X-Forwarded-Host"),
-		"uri":       r.Header.Get("X-Forwarded-Uri"),
-		"source_ip": r.Header.Get("X-Forwarded-For"),
+		"method":    escapeNewlines(r.Header.Get("X-Forwarded-Method")),
+		"proto":     escapeNewlines(r.Header.Get("X-Forwarded-Proto")),
+		"host":      escapeNewlines(r.Header.Get("X-Forwarded-Host")),
+		"uri":       escapeNewlines(r.Header.Get("X-Forwarded-Uri")),
+		"source_ip": escapeNewlines(r.Header.Get("X-Forwarded-For")),
 	})
 
 	// Log request