fixup! RHINENG-12951: fix CWE-918

RedHatInsights · Oct 4, 2024 · b467a71 · b467a71
1 parent 5474f6c
commit b467a71
Showing 1 changed file with 6 additions and 9 deletions.
diff --git a/turnpike/controllers/admin.go b/turnpike/controllers/admin.go
@@ -9,8 +9,8 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"path"
 	"regexp"
-	"slices"
 	"strconv"
 	"time"
 
@@ -291,10 +291,12 @@ func GetManagerPprof(c *gin.Context) {
 	pprofHandler(c, utils.CoreCfg.ManagerPrivateAddress)
 }
 
+var paramRegexp = regexp.MustCompile("^(heap|profile|block|mutex|trace)$")
+
 func pprofHandler(c *gin.Context, address string) {
 	query := c.Request.URL.RawQuery
 	param := c.Param("param")
-	if slices.Contains([]string{"heap", "profile", "block", "mutex", "trace"}, param) {
+	if paramRegexp.MatchString(param) {
 		data, err := getPprof(address, param, query)
 		if err != nil {
 			c.JSON(http.StatusInternalServerError, gin.H{"err": err.Error()})
@@ -311,15 +313,10 @@ func getPprof(address, param, query string) ([]byte, error) {
 	client := &http.Client{
 		Timeout: time.Second * 60,
 	}
-	urlPath := address + "/debug/pprof/"
-	if len(param) > 0 {
-		urlPath = urlPath + param
-	}
 	if len(query) > 0 {
-		// param = param + "?" + query
-		urlPath = urlPath + "?" + query
+		param = param + "?" + query
 	}
-	// urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, param)
+	urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, path.Clean(param))
 	req, err := http.NewRequest(http.MethodGet, urlPath, nil)
 	if err != nil {
 		return nil, err