fixup! RHINENG-12951: fix CWE-918

RedHatInsights · Oct 4, 2024 · b7acfc6 · b7acfc6
1 parent 5474f6c
commit b7acfc6
Showing 1 changed file with 3 additions and 7 deletions.
diff --git a/turnpike/controllers/admin.go b/turnpike/controllers/admin.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"path"
 	"regexp"
 	"slices"
 	"strconv"
@@ -311,15 +312,10 @@ func getPprof(address, param, query string) ([]byte, error) {
 	client := &http.Client{
 		Timeout: time.Second * 60,
 	}
-	urlPath := address + "/debug/pprof/"
-	if len(param) > 0 {
-		urlPath = urlPath + param
-	}
 	if len(query) > 0 {
-		// param = param + "?" + query
-		urlPath = urlPath + "?" + query
+		param = param + "?" + query
 	}
-	// urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, param)
+	urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, path.Clean(param))
 	req, err := http.NewRequest(http.MethodGet, urlPath, nil)
 	if err != nil {
 		return nil, err