Security: Fix path traversal vulnerability in host-agent download endpoint
CRITICAL SECURITY FIX: The /download/pulse-host-agent endpoint was directly concatenating user-supplied platform and arch query parameters into file paths without validation, allowing path traversal attacks. An attacker could request: /download/pulse-host-agent?platform=../../etc/passwd to read arbitrary files from the container filesystem. Fix: Add input validation to only allow alphanumeric characters and hyphens in platform/arch parameters before using them in file paths. Related: Codex security audit identified this during pre-release review
This commit is contained in:
parent
775bf99a96
commit
946e2e455f
1 changed files with 12 additions and 0 deletions
|
|
@ -3326,6 +3326,18 @@ func (r *Router) handleDownloadHostAgent(w http.ResponseWriter, req *http.Reques
|
|||
platformParam := strings.TrimSpace(req.URL.Query().Get("platform"))
|
||||
archParam := strings.TrimSpace(req.URL.Query().Get("arch"))
|
||||
|
||||
// Validate platform and arch to prevent path traversal attacks
|
||||
// Only allow alphanumeric characters and hyphens
|
||||
validPattern := regexp.MustCompile(`^[a-zA-Z0-9\-]+$`)
|
||||
if platformParam != "" && !validPattern.MatchString(platformParam) {
|
||||
http.Error(w, "Invalid platform parameter", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if archParam != "" && !validPattern.MatchString(archParam) {
|
||||
http.Error(w, "Invalid arch parameter", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
searchPaths := make([]string, 0, 12)
|
||||
strictMode := platformParam != "" && archParam != ""
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue