diff --git a/src/common/utils/uaa/test/server.go b/src/common/utils/uaa/test/server.go index 53a4ce432..640dc454e 100644 --- a/src/common/utils/uaa/test/server.go +++ b/src/common/utils/uaa/test/server.go @@ -16,6 +16,7 @@ package test import ( "fmt" + "html" "io/ioutil" "net/http" "net/http/httptest" @@ -60,12 +61,12 @@ func (t *tokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) { if reqUsername == t.username && reqPasswd == t.password { serveToken(rw) } else { - http.Error(rw, fmt.Sprintf("invalid username/password %s/%s", reqUsername, reqPasswd), http.StatusUnauthorized) + http.Error(rw, fmt.Sprintf("invalid username/password %s/%s", html.EscapeString(reqUsername), html.EscapeString(reqPasswd)), http.StatusUnauthorized) } } else if gt == "client_credentials" { serveToken(rw) } else { - http.Error(rw, fmt.Sprintf("invalid grant_type: %s", gt), http.StatusBadRequest) + http.Error(rw, fmt.Sprintf("invalid grant_type: %s", html.EscapeString(gt)), http.StatusBadRequest) return } } @@ -130,7 +131,7 @@ func (su *searchUserHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request http.Error(rw, "invalid request", http.StatusBadRequest) return } - http.Error(rw, fmt.Sprintf("Invalid request, elements: %v", elements), http.StatusBadRequest) + http.Error(rw, html.EscapeString(fmt.Sprintf("Invalid request, elements: %v", elements)), http.StatusBadRequest) } // NewMockServer ... diff --git a/src/core/auth/authproxy/test/server.go b/src/core/auth/authproxy/test/server.go index f9af00e96..1fa59eae5 100644 --- a/src/core/auth/authproxy/test/server.go +++ b/src/core/auth/authproxy/test/server.go @@ -17,12 +17,14 @@ package test import ( "encoding/json" "fmt" - "github.com/goharbor/harbor/src/common/utils" + "html" "io/ioutil" - "k8s.io/api/authentication/v1beta1" "net/http" "net/http/httptest" "strings" + + "github.com/goharbor/harbor/src/common/utils" + "k8s.io/api/authentication/v1beta1" ) type userEntry struct { @@ -60,7 +62,7 @@ func (ah *authHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) { } } } - http.Error(rw, fmt.Sprintf("Do not find entry in entrylist, username: %s", u), http.StatusUnauthorized) + http.Error(rw, fmt.Sprintf("Do not find entry in entrylist, username: %s", html.EscapeString(u)), http.StatusUnauthorized) } } @@ -74,11 +76,11 @@ func (rth *reviewTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque } bodyBytes, err := ioutil.ReadAll(req.Body) if err != nil { - http.Error(rw, fmt.Sprintf("failed to read request body, error: %v", err), http.StatusBadRequest) + http.Error(rw, html.EscapeString(fmt.Sprintf("failed to read request body, error: %v", err)), http.StatusBadRequest) } reviewData := &v1beta1.TokenReview{} if err := json.Unmarshal(bodyBytes, reviewData); err != nil { - http.Error(rw, fmt.Sprintf("failed to decode request body, error: %v", err), http.StatusBadRequest) + http.Error(rw, html.EscapeString(fmt.Sprintf("failed to decode request body, error: %v", err)), http.StatusBadRequest) } defer req.Body.Close() for _, e := range rth.entries { @@ -91,7 +93,7 @@ func (rth *reviewTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque } } } - http.Error(rw, fmt.Sprintf("failed to match token: %s, entrylist: %+v", reviewData.Spec.Token, rth.entries), http.StatusUnauthorized) + http.Error(rw, html.EscapeString(fmt.Sprintf("failed to match token: %s, entrylist: %+v", reviewData.Spec.Token, rth.entries)), http.StatusUnauthorized) } // NewMockServer creates the mock server for testing