lib/protoparser/opentelemetry/firehose: escape requestID before returning it to user (#6451)

All user input should be sanitized before rendering. This should prevent
possible attacks. See
https://github.com/VictoriaMetrics/VictoriaMetrics/security/code-scanning/203

Signed-off-by: hagen1778 <roman@victoriametrics.com>
This commit is contained in:
Roman Khavronenko 2024-06-10 16:55:59 +02:00 committed by GitHub
parent 253c0cffbe
commit cd1aca217c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -2,6 +2,7 @@ package firehose
import (
"fmt"
"html"
"net/http"
"time"
)
@ -12,11 +13,12 @@ import (
func WriteSuccessResponse(w http.ResponseWriter, r *http.Request) {
requestID := r.Header.Get("X-Amz-Firehose-Request-Id")
if requestID == "" {
// This isn't a AWS firehose request - just return an empty response in this case.
// This isn't an AWS firehose request - just return an empty response in this case.
w.WriteHeader(http.StatusOK)
return
}
requestID = html.EscapeString(requestID)
body := fmt.Sprintf(`{"requestId":%q,"timestamp":%d}`, requestID, time.Now().UnixMilli())
h := w.Header()