RHINENG-12951: fix CWE-918

RedHatInsights · Oct 4, 2024 · 66ae76f · 66ae76f
1 parent c57681f
commit 66ae76f
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/turnpike/controllers/admin.go b/turnpike/controllers/admin.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"net/http"
 	"regexp"
+	"slices"
 	"strconv"
 	"time"
 
@@ -293,13 +294,17 @@ func GetManagerPprof(c *gin.Context) {
 func pprofHandler(c *gin.Context, address string) {
 	query := c.Request.URL.RawQuery
 	param := c.Param("param")
-	data, err := getPprof(address, param, query)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"err": err.Error()})
+	if slices.Contains([]string{"heap", "profile", "block", "mutex", "trace"}, param) {
+		data, err := getPprof(address, param, query)
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"err": err.Error()})
+			return
+		}
+		c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=%s", param))
+		c.Data(http.StatusOK, "application/octet-stream", data)
 		return
 	}
-	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=%s", param))
-	c.Data(http.StatusOK, "application/octet-stream", data)
+	c.Status(http.StatusBadRequest)
 }
 
 func getPprof(address, param, query string) ([]byte, error) {
@@ -309,7 +314,8 @@ func getPprof(address, param, query string) ([]byte, error) {
 	if len(query) > 0 {
 		param = param + "?" + query
 	}
-	urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, param)
+	// urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, param)
+	urlPath := address + "/debug/pprof/" + param
 	req, err := http.NewRequest(http.MethodGet, urlPath, nil)
 	if err != nil {
 		return nil, err