From 5e42f96eaf3347a467a49686fca35af666a9d85d Mon Sep 17 00:00:00 2001
From: Lenin Alevski <alevsk.8772@gmail.com>
Date: Mon, 7 Mar 2022 17:30:36 -0800
Subject: [PATCH] Validate basePath for console (#1677)

Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
---
 restapi/configure_console.go | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/restapi/configure_console.go b/restapi/configure_console.go
index 3bd3561fe..f07e8f39e 100644
--- a/restapi/configure_console.go
+++ b/restapi/configure_console.go
@@ -28,6 +28,7 @@ import (
 	"net"
 	"net/http"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"sync"
 	"time"
@@ -368,9 +369,16 @@ func getSubPath() string {
 }
 
 func replaceBaseInIndex(indexPageBytes []byte, basePath string) []byte {
-	indexPageStr := string(indexPageBytes)
-	newBase := fmt.Sprintf("<base href=\"%s\"/>", basePath)
-	indexPageStr = strings.Replace(indexPageStr, "<base href=\"/\"/>", newBase, 1)
-	indexPageBytes = []byte(indexPageStr)
+	if basePath != "" {
+		validBasePath := regexp.MustCompile(`^[0-9a-zA-Z\/-]+$`)
+		if !validBasePath.MatchString(basePath) {
+			return indexPageBytes
+		}
+		indexPageStr := string(indexPageBytes)
+		newBase := fmt.Sprintf("<base href=\"%s\"/>", basePath)
+		indexPageStr = strings.Replace(indexPageStr, "<base href=\"/\"/>", newBase, 1)
+		indexPageBytes = []byte(indexPageStr)
+
+	}
 	return indexPageBytes
 }