Skip to content

Commit 341333c

Browse files
sanikachavan5sanikachavan5
committed
address review changes
1 parent ed56f5e commit 341333c

File tree

1 file changed

+11
-4
lines changed

1 file changed

+11
-4
lines changed

agent/ui_endpoint.go

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -816,10 +816,17 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
816816
// This prevents path traversal while preserving URL structure
817817
cleanedSubPath := path.Clean(subPath)
818818

819+
// Clean the base URL for security in logging and comparisons
820+
cleanedBaseURL := cfg.BaseURL
821+
if parsedBase, err := url.Parse(cfg.BaseURL); err == nil && parsedBase.Path != "" {
822+
parsedBase.Path = path.Clean(parsedBase.Path)
823+
cleanedBaseURL = parsedBase.String()
824+
}
825+
819826
// Parse the base URL to get its components
820827
baseURL, err := url.Parse(cfg.BaseURL)
821828
if err != nil {
822-
log.Error("couldn't parse base URL", "base_url", cfg.BaseURL)
829+
log.Error("couldn't parse base URL", "base_url", cleanedBaseURL)
823830
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Invalid base URL."}
824831
}
825832

@@ -830,7 +837,7 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
830837
// Parse it into a new URL
831838
u, err := url.Parse(newURL)
832839
if err != nil {
833-
log.Error("couldn't parse target URL", "base_url", cfg.BaseURL, "path", subPath)
840+
log.Error("couldn't parse target URL", "base_url", cleanedBaseURL, "path", subPath)
834841
return nil, HTTPError{StatusCode: http.StatusBadRequest, Reason: "Invalid path."}
835842
}
836843

@@ -847,7 +854,7 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
847854
}
848855
if denied {
849856
log.Error("target URL path is not allowed",
850-
"base_url", cfg.BaseURL,
857+
"base_url", cleanedBaseURL,
851858
"path", subPath,
852859
"target_url", u.String(),
853860
"path_allowlist", cfg.PathAllowlist,
@@ -881,7 +888,7 @@ func (s *HTTPHandlers) UIMetricsProxy(resp http.ResponseWriter, req *http.Reques
881888
// Allow exact match of BaseURL (without trailing slash) or proper prefix match
882889
if targetURL != cfg.BaseURL && !strings.HasPrefix(targetURL, baseURLForPrefix) {
883890
log.Error("target URL escaped from base path",
884-
"base_url", cfg.BaseURL,
891+
"base_url", cleanedBaseURL,
885892
"path", subPath,
886893
"target_url", u.String(),
887894
)

0 commit comments

Comments
 (0)