fix: potentially unsafe quoting in ipa iam

CodeQL flagged a possible unsafe quoting in ipa iam code. Code that constructs a quoted string literal containing user-provided data needs to ensure that this data does not itself contain a quote. Otherwise the embedded data could (accidentally or intentionally) terminate the string literal early and thereby change the structure of the overall string, with potentially severe consequences. If, for example, the string is later used as part of an operating-system command or database query, an attacker may be able to craft input data that injects a malicious command. Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-01-07 04:06:23 +00:00 · 2025-01-31 16:38:21 -08:00
parent 30ad7111a6
commit 4add647501
1 changed files with 11 additions and 8 deletions
--- a/auth/iam_ipa.go
+++ b/auth/iam_ipa.go
@@ -354,15 +354,18 @@ func (ipa *IpaIAMService) newRequest(method string, args []string, dict map[stri
 		return "", fmt.Errorf("ipa request invalid: %w", err)
 	}

-	return fmt.Sprintf(`{
-		"id": %d,
-		"method": %s,
-		"params": [
-			%s,
-			%s
-		]
+	request := map[string]interface{}{
+		"id":     id,
+		"method": json.RawMessage(jmethod),
+		"params": []json.RawMessage{json.RawMessage(jargs), json.RawMessage(jdict)},
 	}
-	`, id, jmethod, jargs, jdict), nil
+
+	requestJSON, err := json.Marshal(request)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	return string(requestJSON), nil
 }

 // pkcs7Unpad validates and unpads data from the given bytes slice.