mirror of
https://github.com/VictoriaMetrics/VictoriaMetrics.git
synced 2024-11-23 20:37:12 +01:00
lib/protoparser/opentelemetry/firehose: escape requestID before returning it to user (#6451)
All user input should be sanitized before rendering. This should prevent possible attacks. See https://github.com/VictoriaMetrics/VictoriaMetrics/security/code-scanning/203 Signed-off-by: hagen1778 <roman@victoriametrics.com>
This commit is contained in:
parent
253c0cffbe
commit
cd1aca217c
@ -2,6 +2,7 @@ package firehose
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"html"
|
||||
"net/http"
|
||||
"time"
|
||||
)
|
||||
@ -12,11 +13,12 @@ import (
|
||||
func WriteSuccessResponse(w http.ResponseWriter, r *http.Request) {
|
||||
requestID := r.Header.Get("X-Amz-Firehose-Request-Id")
|
||||
if requestID == "" {
|
||||
// This isn't a AWS firehose request - just return an empty response in this case.
|
||||
// This isn't an AWS firehose request - just return an empty response in this case.
|
||||
w.WriteHeader(http.StatusOK)
|
||||
return
|
||||
}
|
||||
|
||||
requestID = html.EscapeString(requestID)
|
||||
body := fmt.Sprintf(`{"requestId":%q,"timestamp":%d}`, requestID, time.Now().UnixMilli())
|
||||
|
||||
h := w.Header()
|
||||
|
Loading…
Reference in New Issue
Block a user