github/podinfo
1
0
Fork 0
mirror of https://github.com/stefanprodan/podinfo.git synced 2026-04-05 18:46:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #463 from stefanprodan/fix-CVE-2025-70849

Browse Source 
Fix XSS in `/store` endpoint (CVE-2025-70849)
This commit is contained in:
Stefan Prodan
2026-03-14 14:58:53 +02:00
committed by GitHub
parent 07a524ba01 550ee9f7b9
commit 83deb7fcb7
2 changed files with 57 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/api/http/store.go
View File

@@ -60,6 +60,9 @@ func (s *Server) storeReadHandler(w http.ResponseWriter, r *http.Request) {
s.ErrorResponse(w, r, span, "reading file failed", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/octet-stream")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Content-Security-Policy", "default-src 'none'")
w.WriteHeader(http.StatusAccepted)
w.Write([]byte(content))
}

54
pkg/api/http/store_test.go Normal file
View File

@@ -0,0 +1,54 @@
package http
import (
"net/http"
"net/http/httptest"
"strings"
"testing"
"github.com/gorilla/mux"
)
func TestStoreReadHandler_ContentType(t *testing.T) {
dataDir := t.TempDir()
srv := NewMockServer()
srv.config.DataPath = dataDir
// Write an HTML payload to the store.
writeReq, err := http.NewRequest("POST", "/store", strings.NewReader("<html><script>alert(1)</script></html>"))
if err != nil {
t.Fatal(err)
}
writeRR := httptest.NewRecorder()
http.HandlerFunc(srv.storeWriteHandler).ServeHTTP(writeRR, writeReq)
if writeRR.Code != http.StatusAccepted {
t.Fatalf("store write returned status %d, want %d", writeRR.Code, http.StatusAccepted)
}
// Read it back and verify Content-Type is application/octet-stream, not text/html.
hash := hash("<html><script>alert(1)</script></html>")
readReq, err := http.NewRequest("GET", "/store/"+hash, nil)
if err != nil {
t.Fatal(err)
}
readReq = mux.SetURLVars(readReq, map[string]string{"hash": hash})
readRR := httptest.NewRecorder()
http.HandlerFunc(srv.storeReadHandler).ServeHTTP(readRR, readReq)
if readRR.Code != http.StatusAccepted {
t.Fatalf("store read returned status %d, want %d", readRR.Code, http.StatusAccepted)
}
expectedHeaders := map[string]string{
"Content-Type": "application/octet-stream",
"X-Content-Type-Options": "nosniff",
"Content-Security-Policy": "default-src 'none'",
}
for header, want := range expectedHeaders {
if got := readRR.Header().Get(header); got != want {
t.Errorf("%s = %q, want %q", header, got, want)
}
}
}