From f815954a1116e224e5ba8b621a337144b2ae6e96 Mon Sep 17 00:00:00 2001
From: Michael Mraka <michael.mraka@redhat.com>
Date: Thu, 3 Oct 2024 16:45:15 +0200
Subject: [PATCH] RHINENG-12951: fix CWE-918

---
 turnpike/controllers/admin.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/turnpike/controllers/admin.go b/turnpike/controllers/admin.go
index 2ab6cee62..20805ee5c 100644
--- a/turnpike/controllers/admin.go
+++ b/turnpike/controllers/admin.go
@@ -290,10 +290,17 @@ func GetManagerPprof(c *gin.Context) {
 	pprofHandler(c, utils.CoreCfg.ManagerPrivateAddress)
 }
 
+var paramRegexp = regexp.MustCompile("^(heap|profile|block|mutex|trace)$")
+
 func pprofHandler(c *gin.Context, address string) {
 	query := c.Request.URL.RawQuery
 	param := c.Param("param")
-	data, err := getPprof(address, param, query)
+	match := paramRegexp.FindStringSubmatch(param)
+	if len(match) < 1 {
+		c.Status(http.StatusBadRequest)
+		return
+	}
+	data, err := getPprof(address, match[0], query)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"err": err.Error()})
 		return