Skip to content

chore: add url validation #103

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nahidhasan94 merged 1 commit into from
Oct 14, 2025
Merged

chore: add url validation #103

nahidhasan94 merged 1 commit into from
Oct 14, 2025

Conversation

@nahidhasan94
Copy link
Collaborator

@nahidhasan94 nahidhasan94 commented Oct 14, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 14, 2025
View reviewed changes
libproxy/proxy.go
field, err := writer.CreatePart(val.Header)
if err != nil {
ErrorLogger.Printf("Failed to create part for file %s: %v", sanitizeLogInput(val.Filename), err)
ErrorLogger.Printf("Failed to create part for file %s: %v", val.Filename, err)

Check failure

Code scanning / CodeQL

Log entries created from user input High

This log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 2 months ago

To fix this problem, all occurrences where user-supplied file names are logged should be sanitized before being passed to the logger. The best way to do this without changing existing functionality is to apply the existing sanitizeLogInput utility function to val.Filename in each affected logging statement.

Specifically, edit the relevant lines:

  • Before logging val.Filename in ErrorLogger.Printf, pass it through the sanitizeLogInput function.

This change should be applied to all logging lines in this code block that output val.Filename (lines 620, 626, 636, and 641).

No additional imports or definitions are required, as both the logger and the sanitizer are already present.

Suggested changeset 1
libproxy/proxy.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libproxy/proxy.go b/libproxy/proxy.go
--- a/libproxy/proxy.go
+++ b/libproxy/proxy.go
@@ -617,13 +617,13 @@
 			for _, val := range request.MultipartForm.File[fileKey] {
 				f, err := val.Open()
 				if err != nil {
-					ErrorLogger.Printf("Failed to open file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to open file %s: %v", sanitizeLogInput(val.Filename), err)
 					continue
 				}
 
 				field, err := writer.CreatePart(val.Header)
 				if err != nil {
-					ErrorLogger.Printf("Failed to create part for file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to create part for file %s: %v", sanitizeLogInput(val.Filename), err)
 					err = f.Close()
 					if err != nil {
 						ErrorLogger.Printf("Failed to close file: %v", err)
@@ -633,12 +628,12 @@
 
 				_, err = io.Copy(field, f)
 				if err != nil {
-					ErrorLogger.Printf("Failed to copy file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to copy file %s: %v", sanitizeLogInput(val.Filename), err)
 				}
 
 				err = f.Close()
 				if err != nil {
-					ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to close file %s: %v", sanitizeLogInput(val.Filename), err)
 				}
 			}
 		}
EOF
@@ -617,13 +617,13 @@
for _, val := range request.MultipartForm.File[fileKey] {
f, err := val.Open()
if err != nil {
ErrorLogger.Printf("Failed to open file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to open file %s: %v", sanitizeLogInput(val.Filename), err)
continue
}

field, err := writer.CreatePart(val.Header)
if err != nil {
ErrorLogger.Printf("Failed to create part for file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to create part for file %s: %v", sanitizeLogInput(val.Filename), err)
err = f.Close()
if err != nil {
ErrorLogger.Printf("Failed to close file: %v", err)
@@ -633,12 +628,12 @@

_, err = io.Copy(field, f)
if err != nil {
ErrorLogger.Printf("Failed to copy file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to copy file %s: %v", sanitizeLogInput(val.Filename), err)
}

err = f.Close()
if err != nil {
ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to close file %s: %v", sanitizeLogInput(val.Filename), err)
}
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
libproxy/proxy.go
_, err = io.Copy(field, f)
if err != nil {
ErrorLogger.Printf("Failed to copy file %s: %v", sanitizeLogInput(val.Filename), err)
ErrorLogger.Printf("Failed to copy file %s: %v", val.Filename, err)

Check failure

Code scanning / CodeQL

Log entries created from user input High

This log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 2 months ago

To fix this issue, we should sanitize any user-supplied data before writing it to logs. In this context, before logging val.Filename (which is derived from potentially untrusted user input), we should remove any newlines (\n), carriage returns (\r), and potentially other problematic characters. This ensures that a malicious user cannot inject log entries or otherwise tamper with the format of the log by submitting special characters in their filename.

The best way to do this, consistent with the rest of the codebase, is to use the provided sanitizeLogInput helper function (lines 23-28) before including any user-controlled value in a log statement. This simply requires wrapping each use of val.Filename in log statements (on lines 620, 626, 636, 641) with sanitizeLogInput().

No additional imports or utility methods are needed, as the helper function already exists and is in scope.

The only required code change is to replace any direct use of val.Filename in log calls in this region with sanitizeLogInput(val.Filename).

Suggested changeset 1
libproxy/proxy.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libproxy/proxy.go b/libproxy/proxy.go
--- a/libproxy/proxy.go
+++ b/libproxy/proxy.go
@@ -617,13 +617,13 @@
 			for _, val := range request.MultipartForm.File[fileKey] {
 				f, err := val.Open()
 				if err != nil {
-					ErrorLogger.Printf("Failed to open file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to open file %s: %v", sanitizeLogInput(val.Filename), err)
 					continue
 				}
 
 				field, err := writer.CreatePart(val.Header)
 				if err != nil {
-					ErrorLogger.Printf("Failed to create part for file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to create part for file %s: %v", sanitizeLogInput(val.Filename), err)
 					err = f.Close()
 					if err != nil {
 						ErrorLogger.Printf("Failed to close file: %v", err)
@@ -633,12 +628,12 @@
 
 				_, err = io.Copy(field, f)
 				if err != nil {
-					ErrorLogger.Printf("Failed to copy file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to copy file %s: %v", sanitizeLogInput(val.Filename), err)
 				}
 
 				err = f.Close()
 				if err != nil {
-					ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to close file %s: %v", sanitizeLogInput(val.Filename), err)
 				}
 			}
 		}
EOF
@@ -617,13 +617,13 @@
for _, val := range request.MultipartForm.File[fileKey] {
f, err := val.Open()
if err != nil {
ErrorLogger.Printf("Failed to open file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to open file %s: %v", sanitizeLogInput(val.Filename), err)
continue
}

field, err := writer.CreatePart(val.Header)
if err != nil {
ErrorLogger.Printf("Failed to create part for file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to create part for file %s: %v", sanitizeLogInput(val.Filename), err)
err = f.Close()
if err != nil {
ErrorLogger.Printf("Failed to close file: %v", err)
@@ -633,12 +628,12 @@

_, err = io.Copy(field, f)
if err != nil {
ErrorLogger.Printf("Failed to copy file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to copy file %s: %v", sanitizeLogInput(val.Filename), err)
}

err = f.Close()
if err != nil {
ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to close file %s: %v", sanitizeLogInput(val.Filename), err)
}
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
libproxy/proxy.go
err = f.Close()
if err != nil {
ErrorLogger.Printf("Failed to close file %s: %v", sanitizeLogInput(val.Filename), err)
ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err)

Check failure

Code scanning / CodeQL

Log entries created from user input High

This log entry depends on a
user-provided value
Loading
.

Copilot Autofix

AI about 2 months ago

To fix this problem, we should sanitize any user-controlled inputs before using them in log entries. Specifically, any place where val.Filename (coming from a multipart upload) is interpolated into a log should wrap it with the project-provided sanitizeLogInput function, which removes newline and carriage return characters. No changes are needed elsewhere in the code. The fix is targeted at the ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err) statement at line 641.

No new imports or external libraries are required, as sanitizeLogInput is already available within the file.

Suggested changeset 1
libproxy/proxy.go

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libproxy/proxy.go b/libproxy/proxy.go
--- a/libproxy/proxy.go
+++ b/libproxy/proxy.go
@@ -617,13 +617,13 @@
 			for _, val := range request.MultipartForm.File[fileKey] {
 				f, err := val.Open()
 				if err != nil {
-					ErrorLogger.Printf("Failed to open file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to open file %s: %v", sanitizeLogInput(val.Filename), err)
 					continue
 				}
 
 				field, err := writer.CreatePart(val.Header)
 				if err != nil {
-					ErrorLogger.Printf("Failed to create part for file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to create part for file %s: %v", sanitizeLogInput(val.Filename), err)
 					err = f.Close()
 					if err != nil {
 						ErrorLogger.Printf("Failed to close file: %v", err)
@@ -633,12 +628,12 @@
 
 				_, err = io.Copy(field, f)
 				if err != nil {
-					ErrorLogger.Printf("Failed to copy file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to copy file %s: %v", sanitizeLogInput(val.Filename), err)
 				}
 
 				err = f.Close()
 				if err != nil {
-					ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err)
+					ErrorLogger.Printf("Failed to close file %s: %v", sanitizeLogInput(val.Filename), err)
 				}
 			}
 		}
EOF
@@ -617,13 +617,13 @@
for _, val := range request.MultipartForm.File[fileKey] {
f, err := val.Open()
if err != nil {
ErrorLogger.Printf("Failed to open file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to open file %s: %v", sanitizeLogInput(val.Filename), err)
continue
}

field, err := writer.CreatePart(val.Header)
if err != nil {
ErrorLogger.Printf("Failed to create part for file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to create part for file %s: %v", sanitizeLogInput(val.Filename), err)
err = f.Close()
if err != nil {
ErrorLogger.Printf("Failed to close file: %v", err)
@@ -633,12 +628,12 @@

_, err = io.Copy(field, f)
if err != nil {
ErrorLogger.Printf("Failed to copy file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to copy file %s: %v", sanitizeLogInput(val.Filename), err)
}

err = f.Close()
if err != nil {
ErrorLogger.Printf("Failed to close file %s: %v", val.Filename, err)
ErrorLogger.Printf("Failed to close file %s: %v", sanitizeLogInput(val.Filename), err)
}
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
@nahidhasan94 nahidhasan94 merged commit 215c664 into master Oct 14, 2025
4 of 5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nahidhasan94