Merge pull request #2340 from headlamp-k8s/uncontrolled-data-path

backend: Validate path from user
headlamp-k8s · Sep 18, 2024 · 0c0442a · 0c0442a
2 parents 7ea69b6 + 1cb85fc
commit 0c0442a
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/backend/cmd/headlamp.go b/backend/cmd/headlamp.go
@@ -89,6 +89,10 @@ type OauthConfig struct {
 }
 
 func (h spaHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if strings.Contains(r.URL.Path, "..") {
+		http.Error(w, "Contains unexpected '..'", http.StatusBadRequest)
+	}
+
 	// Clean the path to prevent directory traversal
 	path := filepath.Clean(r.URL.Path)
 	path = strings.TrimPrefix(path, h.baseURL)