Skip to content

Commit

Permalink
Merge pull request #4210 from open-horizon/security_4208_4209
Browse files Browse the repository at this point in the history 
Fix vulnerabilities CWE-113 (issue #4208 issue #4209)
  • Loading branch information
@omordyk
omordyk authored Jan 9, 2025
2 parents 5f933af + c2f60bd commit 3163bff
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 2 deletions.
16 changes: 15 additions & 1 deletion agreementbot/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/open-horizon/anax/worker"
"io/ioutil"
"net/http"
"regexp"
"sort"
"sync"
"time"
Expand Down Expand Up @@ -318,11 +319,24 @@ func (a *API) listen(apiListen string) {
return
}

isValidInput := func(input string) bool {
// Check for CR or LF characters in input
re := regexp.MustCompile(`[\r\n]`)
return !re.MatchString(input)
}

nocache := func(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate")
w.Header().Add("Pragma", "no-cache, no-store")
w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))

input := r.Header.Get("Origin")
if !isValidInput(input) {
http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest)
return
}

w.Header().Add("Access-Control-Allow-Origin", input)
w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization")
w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
h.ServeHTTP(w, r)
Expand Down
16 changes: 15 additions & 1 deletion api/api.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"github.com/open-horizon/anax/policy"
"github.com/open-horizon/anax/worker"
"net/http"
"regexp"
"sync"
)

Expand Down Expand Up @@ -133,11 +134,24 @@ func (a *API) router(includeStaticRedirects bool) *mux.Router {
func (a *API) listen(cfg *config.HorizonConfig) {
glog.Info(apiLogString(fmt.Sprintf("Starting Anax API server")))

isValidInput := func(input string) bool {
// Check for CR or LF characters in input
re := regexp.MustCompile(`[\r\n]`)
return !re.MatchString(input)
}

nocache := func(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate")
w.Header().Add("Pragma", "no-cache, no-store")
w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))

input := r.Header.Get("Origin")
if !isValidInput(input) {
http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest)
return
}

w.Header().Add("Access-Control-Allow-Origin", input)
w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization")
w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
h.ServeHTTP(w, r)
Expand Down

0 comments on commit 3163bff

Please sign in to comment.