Skip to content

Commit

Permalink
Merge pull request #9683 from mcalmer/issv3-fix-hostspot
Browse files Browse the repository at this point in the history 
sanitize the channel name
  • Loading branch information
@mcalmer
mcalmer authored Jan 24, 2025
2 parents 62776b5 + 2242dc8 commit 9f1420e
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions java/code/src/com/suse/manager/webui/controllers/DownloadController.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -592,8 +592,9 @@ else if (!onlyChannels.contains(channel)) {
halt(HttpStatus.SC_BAD_REQUEST, "Token does not specify the organization");
}
else if (!ChannelFactory.isAccessibleBy(channel, orgId)) {
LOG.info("Forbidden: Token does not provide access to channel {}", channel);
halt(HttpStatus.SC_FORBIDDEN, "Token does not provide access to channel %s".formatted(channel));
String sanitChannel = StringUtil.sanitizeLogInput(channel);

Check notice

Code scanning / SonarCloud

Logging should not be vulnerable to injection attacks Low

Change this code to not log user-controlled data. See more on SonarQube Cloud
LOG.info("Forbidden: Token does not provide access to channel {}", sanitChannel);
halt(HttpStatus.SC_FORBIDDEN, "Token does not provide access to channel %s".formatted(sanitChannel));
}
}
catch (TokenParsingException e) {
Expand Down

0 comments on commit 9f1420e

Please sign in to comment.