From b7acfc694ec8fb15f17d9a4be6fef008b27c258f Mon Sep 17 00:00:00 2001
From: Michael Mraka <michael.mraka@redhat.com>
Date: Fri, 4 Oct 2024 14:36:24 +0200
Subject: [PATCH] fixup! RHINENG-12951: fix CWE-918

---
 turnpike/controllers/admin.go | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/turnpike/controllers/admin.go b/turnpike/controllers/admin.go
index a4e41f1eb..b3a93af4e 100644
--- a/turnpike/controllers/admin.go
+++ b/turnpike/controllers/admin.go
@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"path"
 	"regexp"
 	"slices"
 	"strconv"
@@ -311,15 +312,10 @@ func getPprof(address, param, query string) ([]byte, error) {
 	client := &http.Client{
 		Timeout: time.Second * 60,
 	}
-	urlPath := address + "/debug/pprof/"
-	if len(param) > 0 {
-		urlPath = urlPath + param
-	}
 	if len(query) > 0 {
-		// param = param + "?" + query
-		urlPath = urlPath + "?" + query
+		param = param + "?" + query
 	}
-	// urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, param)
+	urlPath := fmt.Sprintf("%s/debug/pprof/%s", address, path.Clean(param))
 	req, err := http.NewRequest(http.MethodGet, urlPath, nil)
 	if err != nil {
 		return nil, err