Merge pull request #1053 from versity/ben/fix_ipa_quoting

Potential fix for code scanning alert no. 15: Potentially unsafe quoting
2026-01-08 04:35:15 +00:00 · 2025-02-03 09:17:19 -08:00
parent 888fdd3688 4add647501
commit fd4bb8ffbc
1 changed files with 11 additions and 8 deletions
--- a/auth/iam_ipa.go
+++ b/auth/iam_ipa.go
@@ -354,15 +354,18 @@ func (ipa *IpaIAMService) newRequest(method string, args []string, dict map[stri
 		return "", fmt.Errorf("ipa request invalid: %w", err)
 	}

-	return fmt.Sprintf(`{
-		"id": %d,
-		"method": %s,
-		"params": [
-			%s,
-			%s
-		]
+	request := map[string]interface{}{
+		"id":     id,
+		"method": json.RawMessage(jmethod),
+		"params": []json.RawMessage{json.RawMessage(jargs), json.RawMessage(jdict)},
 	}
-	`, id, jmethod, jargs, jdict), nil
+
+	requestJSON, err := json.Marshal(request)
+	if err != nil {
+		return "", fmt.Errorf("failed to marshal request: %w", err)
+	}
+
+	return string(requestJSON), nil
 }

 // pkcs7Unpad validates and unpads data from the given bytes slice.