From 4add6475016b3a29d1f9c00846bd59415684e611 Mon Sep 17 00:00:00 2001 From: Ben McClelland Date: Fri, 31 Jan 2025 16:38:21 -0800 Subject: [PATCH] fix: potentially unsafe quoting in ipa iam CodeQL flagged a possible unsafe quoting in ipa iam code. Code that constructs a quoted string literal containing user-provided data needs to ensure that this data does not itself contain a quote. Otherwise the embedded data could (accidentally or intentionally) terminate the string literal early and thereby change the structure of the overall string, with potentially severe consequences. If, for example, the string is later used as part of an operating-system command or database query, an attacker may be able to craft input data that injects a malicious command. Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- auth/iam_ipa.go | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/auth/iam_ipa.go b/auth/iam_ipa.go index a49a532..1856cae 100644 --- a/auth/iam_ipa.go +++ b/auth/iam_ipa.go @@ -354,15 +354,18 @@ func (ipa *IpaIAMService) newRequest(method string, args []string, dict map[stri return "", fmt.Errorf("ipa request invalid: %w", err) } - return fmt.Sprintf(`{ - "id": %d, - "method": %s, - "params": [ - %s, - %s - ] + request := map[string]interface{}{ + "id": id, + "method": json.RawMessage(jmethod), + "params": []json.RawMessage{json.RawMessage(jargs), json.RawMessage(jdict)}, } - `, id, jmethod, jargs, jdict), nil + + requestJSON, err := json.Marshal(request) + if err != nil { + return "", fmt.Errorf("failed to marshal request: %w", err) + } + + return string(requestJSON), nil } // pkcs7Unpad validates and unpads data from the given bytes slice.