fix: chaoshub handler path injection

Signed-off-by: Jaeyeon Park <[email protected]>
litmuschaos · Aug 4, 2024 · 67fadc1 · 67fadc1
1 parent 1f3cf95
commit 67fadc1
Showing 1 changed file with 13 additions and 4 deletions.
diff --git a/chaoscenter/graphql/server/pkg/chaoshub/handler/handler.go b/chaoscenter/graphql/server/pkg/chaoshub/handler/handler.go
@@ -320,16 +320,21 @@ func ChaosHubIconHandler() gin.HandlerFunc {
 			responseStatusCode int
 		)
 
+		projectID := sanitize.PathName(c.Param("projectId"))
+		hubName := sanitize.PathName(c.Param("hubName"))
+		chartName := sanitize.PathName(c.Param("chartName"))
+		iconName := sanitize.PathName(c.Param("iconName"))
+
 		if strings.ToLower(c.Param("chartName")) == "predefined" {
-			img, err = os.Open(utils.Config.CustomChaosHubPath + c.Param("projectId") + "/" + c.Param("hubName") + "/experiments/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.CustomChaosHubPath + projectID + "/" + hubName + "/experiments/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError
 				log.WithError(err).Error("icon cannot be fetched")
 				fmt.Fprint(c.Writer, "icon cannot be fetched, err : "+err.Error())
 			}
 		} else {
-			img, err = os.Open(utils.Config.CustomChaosHubPath + c.Param("projectId") + "/" + c.Param("hubName") + "/faults/" + c.Param("chartName") + "/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.CustomChaosHubPath + projectID + "/" + hubName + "/faults/" + chartName + "/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError
@@ -354,16 +359,20 @@ func DefaultChaosHubIconHandler() gin.HandlerFunc {
 			responseStatusCode int
 		)
 
+		hubName := sanitize.PathName(c.Param("hubName"))
+		chartName := sanitize.PathName(c.Param("chartName"))
+		iconName := sanitize.PathName(c.Param("iconName"))
+
 		if strings.ToLower(c.Param("chartName")) == "predefined" {
-			img, err = os.Open(utils.Config.DefaultChaosHubPath + c.Param("hubName") + "/experiments/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.DefaultChaosHubPath + hubName + "/experiments/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError
 				log.WithError(err).Error("icon cannot be fetched")
 				fmt.Fprint(c.Writer, "icon cannot be fetched, err : "+err.Error())
 			}
 		} else {
-			img, err = os.Open(utils.Config.DefaultChaosHubPath + c.Param("hubName") + "/faults/" + c.Param("chartName") + "/icons/" + c.Param("iconName"))
+			img, err = os.Open(utils.Config.DefaultChaosHubPath + hubName + "/faults/" + chartName + "/icons/" + iconName)
 			responseStatusCode = http.StatusOK
 			if err != nil {
 				responseStatusCode = http.StatusInternalServerError