Merge pull request #4224 from LiilyZhang/zhangl/cp4205

Zhangl/cp4205
open-horizon · Jan 9, 2025 · bffce59 · bffce59
2 parents 503f875 + 4e2951c
commit bffce59
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 3 deletions.
diff --git a/agreementbot/api.go b/agreementbot/api.go
@@ -16,6 +16,7 @@ import (
 	"github.com/open-horizon/anax/worker"
 	"io/ioutil"
 	"net/http"
+	"regexp"
 	"sort"
 	"sync"
 	"time"
@@ -318,11 +319,24 @@ func (a *API) listen(apiListen string) {
 		return
 	}
 
+	isValidInput := func(input string) bool {
+		// Check for CR or LF characters in input
+		re := regexp.MustCompile(`[\r\n]`)
+		return !re.MatchString(input)
+	}
+
 	nocache := func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate")
 			w.Header().Add("Pragma", "no-cache, no-store")
-			w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+
+			input := r.Header.Get("Origin")
+			if !isValidInput(input) {
+				http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest)
+				return
+			}
+
+			w.Header().Add("Access-Control-Allow-Origin", input)
 			w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization")
 			w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
 			h.ServeHTTP(w, r)

diff --git a/anax-in-container/Dockerfile.ubi.amd64 b/anax-in-container/Dockerfile.ubi.amd64
@@ -4,7 +4,7 @@ LABEL vendor="IBM"
 LABEL summary="The agent in a general purpose container."
 LABEL description="A container which holds the edge node agent, to be used in environments where there is no operating system package that can install the agent natively."
 
-ARG DOCKER_VER=24.0.9
+ARG DOCKER_VER=26.1.4
 
 # The anax binary (secrets manager code) shells out to groupadd, groupdel (from shadow-utils), pkill (from procps-ng)
 # The anax.service calls jq (from jq) and killall (from psmisc)

diff --git a/api/api.go b/api/api.go
@@ -13,6 +13,7 @@ import (
 	"github.com/open-horizon/anax/policy"
 	"github.com/open-horizon/anax/worker"
 	"net/http"
+	"regexp"
 	"sync"
 )
 
@@ -133,11 +134,24 @@ func (a *API) router(includeStaticRedirects bool) *mux.Router {
 func (a *API) listen(cfg *config.HorizonConfig) {
 	glog.Info(apiLogString(fmt.Sprintf("Starting Anax API server")))
 
+	isValidInput := func(input string) bool {
+		// Check for CR or LF characters in input
+		re := regexp.MustCompile(`[\r\n]`)
+		return !re.MatchString(input)
+	}
+
 	nocache := func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate")
 			w.Header().Add("Pragma", "no-cache, no-store")
-			w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+
+			input := r.Header.Get("Origin")
+			if !isValidInput(input) {
+				http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest)
+				return
+			}
+
+			w.Header().Add("Access-Control-Allow-Origin", input)
 			w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization")
 			w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
 			h.ServeHTTP(w, r)