RHINENG-12951: fix for CWE-918

RedHatInsights · Oct 4, 2024 · a037dea · a037dea
1 parent 158b4b0
commit a037dea
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/turnpike/controllers/admin.go b/turnpike/controllers/admin.go
@@ -10,6 +10,7 @@ import (
 	"io"
 	"net/http"
 	"regexp"
+	"slices"
 	"strconv"
 	"time"
 
@@ -293,14 +294,17 @@ func GetManagerPprof(c *gin.Context) {
 func pprofHandler(c *gin.Context, address string) {
 	query := c.Request.URL.RawQuery
 	param := c.Param("param")
-	// data, err := getPprof(address, url.QueryEscape(param), query)
-	data, err := getPprof(address, "", query)
-	if err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"err": err.Error()})
+	if slices.Contains([]string{"heap", "profile", "block", "mutex", "trace"}, param) {
+		data, err := getPprof(address, param, query)
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"err": err.Error()})
+			return
+		}
+		c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=%s", param))
+		c.Data(http.StatusOK, "application/octet-stream", data)
 		return
 	}
-	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=%s", param))
-	c.Data(http.StatusOK, "application/octet-stream", data)
+	c.Status(http.StatusBadRequest)
 }
 
 func getPprof(address, param, query string) ([]byte, error) {