From 4cea39de34bc590560d2018f115ae90fa98b6461 Mon Sep 17 00:00:00 2001 From: Jordan Webb Date: Sat, 5 Nov 2022 17:55:32 -0500 Subject: [PATCH] Fix most of the issues CodeQL dislikes (#12) * Fix most of the issues CodeQL dislikes * Escape ipAddr closer to source --- internal/server.go | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/internal/server.go b/internal/server.go index 93e13686..fceb586c 100644 --- a/internal/server.go +++ b/internal/server.go @@ -1,7 +1,6 @@ package tfa import ( - "fmt" "net/http" "net/url" "strings" @@ -23,6 +22,12 @@ func NewServer() *Server { return s } +func escapeNewlines(data string) string { + escapedData := strings.Replace(data, "\n", "", -1) + escapedData = strings.Replace(escapedData, "\r", "", -1) + return escapedData +} + func (s *Server) buildRoutes() { var err error s.muxer, err = mux.NewMuxer() @@ -86,7 +91,7 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc { // Logging setup logger := s.logger(r, "Auth", rule, "Authenticating request") - ipAddr := r.Header.Get("X-Forwarded-For") + ipAddr := escapeNewlines(r.Header.Get("X-Forwarded-For")) if ipAddr == "" { logger.Warn("missing x-forwarded-for header") } else { @@ -123,8 +128,8 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc { // Validate user valid := ValidateUser(user, rule) if !valid { - logger.WithField("user", user).Warn("Invalid user") - http.Error(w, fmt.Sprintf("User '%s' is not authorized", user), 401) + logger.WithField("user", escapeNewlines(user)).Warn("Invalid user") + http.Error(w, "User is not authorized", 401) return } @@ -142,7 +147,7 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc { logger := s.logger(r, "AuthCallback", "default", "Handling callback") // Check state - state := r.URL.Query().Get("state") + state := escapeNewlines(r.URL.Query().Get("state")) if err := ValidateState(state); err != nil { logger.WithFields(logrus.Fields{ "error": err, @@ -271,11 +276,11 @@ func (s *Server) logger(r *http.Request, handler, rule, msg string) *logrus.Entr logger := log.WithFields(logrus.Fields{ "handler": handler, "rule": rule, - "method": r.Header.Get("X-Forwarded-Method"), - "proto": r.Header.Get("X-Forwarded-Proto"), - "host": r.Header.Get("X-Forwarded-Host"), - "uri": r.Header.Get("X-Forwarded-Uri"), - "source_ip": r.Header.Get("X-Forwarded-For"), + "method": escapeNewlines(r.Header.Get("X-Forwarded-Method")), + "proto": escapeNewlines(r.Header.Get("X-Forwarded-Proto")), + "host": escapeNewlines(r.Header.Get("X-Forwarded-Host")), + "uri": escapeNewlines(r.Header.Get("X-Forwarded-Uri")), + "source_ip": escapeNewlines(r.Header.Get("X-Forwarded-For")), }) // Log request