fix: Added URL Param Parsing for better security (#33)

Signed-off-by: Soorya U <[email protected]>
puneeth072003 · Dec 30, 2024 · b38c54b · b38c54b
1 parent f4a8de9
commit b38c54b
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 4 deletions.
diff --git a/src/github/controllers/initializers/fetchPRdesc.go b/src/github/controllers/initializers/fetchPRdesc.go
@@ -3,15 +3,26 @@ package initializers
 import (
 	"encoding/json"
 	"fmt"
+	"github/utils"
 	"io"
 	"net/http"
+	"net/url"
+	"strconv"
 )
 
 // FetchPullRequestDescription fetches the description of a pull request
 func FetchPullRequestDescription(owner, repo string, prNumber int) (string, error) {
-	url := fmt.Sprintf("https://api.github.com/repos/%s/%s/pulls/%d", owner, repo, prNumber)
+	owner, repo, err := utils.CleanURLParams(owner, repo, prNumber)
+	if err != nil {
+		return "", err
+	}
+
+	reqUrl, err := url.JoinPath("https://api.github.com", "repos", owner, repo, "pulls", strconv.Itoa(123))
+	if err != nil {
+		return "", fmt.Errorf("unable to construct request url: %v", err)
+	}
 
-	req, _ := http.NewRequest("GET", url, nil)
+	req, _ := http.NewRequest("GET", reqUrl, nil)
 	req.Header.Set("Accept", "application/vnd.github.v3+json")
 
 	client := &http.Client{}

diff --git a/src/github/controllers/initializers/fetchPRfiles.go b/src/github/controllers/initializers/fetchPRfiles.go
@@ -3,15 +3,26 @@ package initializers
 import (
 	"encoding/json"
 	"fmt"
+	"github/utils"
 	"io"
 	"net/http"
+	"net/url"
+	"strconv"
 )
 
 // Fetch the list of changed files in the pull request
 func FetchPullRequestFiles(owner, repo string, prNumber int) ([]map[string]interface{}, error) {
-	url := fmt.Sprintf("https://api.github.com/repos/%s/%s/pulls/%d/files", owner, repo, prNumber)
+	owner, repo, err := utils.CleanURLParams(owner, repo, prNumber)
+	if err != nil {
+		return nil, err
+	}
+
+	reqUrl, err := url.JoinPath("https://api.github.com", "repos", owner, repo, "pulls", strconv.Itoa(123), "files")
+	if err != nil {
+		return nil, fmt.Errorf("unable to construct request url: %v", err)
+	}
 
-	req, _ := http.NewRequest("GET", url, nil)
+	req, _ := http.NewRequest("GET", reqUrl, nil)
 	req.Header.Set("Accept", "application/vnd.github.v3+json")
 
 	client := &http.Client{}

diff --git a/src/github/utils/cleanurl.go b/src/github/utils/cleanurl.go
@@ -0,0 +1,20 @@
+package utils
+
+import (
+	"fmt"
+	"net/url"
+	"regexp"
+)
+
+func CleanURLParams(owner, repo string, prNumber int) (string, string, error) {
+	owner = url.QueryEscape(owner)
+	repo = url.QueryEscape(repo)
+
+	githubNameRegex := regexp.MustCompile(`^[a-zA-Z0-9-]+$`)
+
+	if !githubNameRegex.MatchString(owner) || !githubNameRegex.MatchString(repo) || prNumber <= 0 {
+		return "", "", fmt.Errorf("unable to clean url params")
+	}
+
+	return owner, repo, nil
+}