(incubator-kie-tools) branch main updated: [kie-tools#3342] Handle reported SAST problems (#3343)

tzimanyi Tue, 11 Nov 2025 07:38:19 -0800

This is an automated email from the ASF dual-hosted git repository.

tzimanyi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-kie-tools.git



The following commit(s) were added to refs/heads/main by this push:
     new 51be06e7eb3 [kie-tools#3342] Handle reported SAST problems (#3343)
51be06e7eb3 is described below

commit 51be06e7eb3c12a4ffa699c59660e3dd5264102c
Author: Tibor Zimányi <[email protected]>
AuthorDate: Tue Nov 11 16:37:26 2025 +0100

    [kie-tools#3342] Handle reported SAST problems (#3343)
---
 packages/cors-proxy/src/proxy/ExpressCorsProxy.ts | 21 ++++++++++++---
 packages/cors-proxy/src/proxy/git.ts              | 33 ++++++++++++-----------
 2 files changed, 34 insertions(+), 20 deletions(-)

diff --git a/packages/cors-proxy/src/proxy/ExpressCorsProxy.ts 
b/packages/cors-proxy/src/proxy/ExpressCorsProxy.ts
index b8a78f313c5..6cede0a2a37 100644
--- a/packages/cors-proxy/src/proxy/ExpressCorsProxy.ts
+++ b/packages/cors-proxy/src/proxy/ExpressCorsProxy.ts
@@ -56,8 +56,8 @@ export class ExpressCorsProxy implements CorsProxy<Request, 
Response> {
       const info = this.resolveRequestInfo(req);
 
       this.logger.log("New request: ", info.targetUrl);
-      this.logger.debug("Request Method: ", req.method);
-      this.logger.debug("Request Headers: ", req.headers);
+      this.logger.debugEscapeNewLines("Request Method: ", req.method);
+      this.logger.debugEscapeNewLines("Request Headers: ", req.headers);
 
       // Creating the headers for the new request
       const outHeaders: Record<string, string> = { 
...info?.corsConfig?.customHeaders };
@@ -80,7 +80,7 @@ export class ExpressCorsProxy implements CorsProxy<Request, 
Response> {
       }
 
       this.logger.log("Proxying to: ", info.proxyUrl.toString());
-      this.logger.debug("Proxy Method: ", req.method);
+      this.logger.debugEscapeNewLines("Proxy Method: ", req.method);
       this.logger.debug("Proxy Headers: ", outHeaders);
 
       const proxyResponse = await fetch(info.proxyUrl, {
@@ -152,7 +152,7 @@ export class ExpressCorsProxy implements CorsProxy<Request, 
Response> {
     return new ProxyRequestInfo({
       targetUrl,
       proxyUrl: proxyUrlString,
-      corsConfig: this.resolveCorsConfig(targetUrl, request),
+      corsConfig: this.resolveCorsConfig(proxyUrlString ?? targetUrl, request),
       insecurelyDisableTLSCertificateValidation:
         
request.headers[CorsProxyHeaderKeys.INSECURELY_DISABLE_TLS_CERTIFICATE_VALIDATION]
 === "true",
     });
@@ -231,6 +231,19 @@ class Logger {
     console.debug(message, arg ?? "");
   }
 
+  /**
+   * This is used when some very basic user input sanitization is needed 
before it is posted in the logs,
+   * to avoid completely uncontrolled logging of user input.
+   * @param message
+   * @param arg
+   */
+  public debugEscapeNewLines(message: string, arg?: any) {
+    if (!this.verbose) {
+      return;
+    }
+    console.debug(message.replace(/\r?\n|\r/g, "_"), arg ?? "");
+  }
+
   public warn(message: string, arg?: any) {
     console.warn(message, arg ?? "");
   }
diff --git a/packages/cors-proxy/src/proxy/git.ts 
b/packages/cors-proxy/src/proxy/git.ts
index 64943615f93..b40c210d518 100644
--- a/packages/cors-proxy/src/proxy/git.ts
+++ b/packages/cors-proxy/src/proxy/git.ts
@@ -87,35 +87,36 @@ export const GIT_CORS_CONFIG: CorsConfig = {
 };
 
 export const isGitOperation = (targetUrl: string, method: string, headers: 
Record<string, string> = {}) => {
-  const parsedUrl = url.parse(targetUrl, true);
+  const targetURL = new URL(targetUrl);
+  const searchParams = new URLSearchParams(targetURL.search);
 
   return (
-    isPreflightInfoRefs(parsedUrl, method) ||
-    isInfoRefs(parsedUrl, method) ||
-    isPreflightPull(parsedUrl, method, headers) ||
-    isPull(parsedUrl, method, headers) ||
-    isPreflightPush(parsedUrl, method, headers) ||
-    isPush(parsedUrl, method, headers)
+    isPreflightInfoRefs(targetURL, searchParams, method) ||
+    isInfoRefs(targetURL, searchParams, method) ||
+    isPreflightPull(targetURL, method, headers) ||
+    isPull(targetURL, method, headers) ||
+    isPreflightPush(targetURL, method, headers) ||
+    isPush(targetURL, method, headers)
   );
 };
 
-function isPreflightInfoRefs(url: url.UrlWithParsedQuery, method: string) {
+function isPreflightInfoRefs(url: URL, searchParams: URLSearchParams, method: 
string) {
   return (
     method === GIT_HTTP_METHODS.OPTIONS &&
     url.pathname!.endsWith(GIT_CONSTS.INFO_REFS) &&
-    [GIT_CONSTS.GIT_UPLOAD_PACK, 
GIT_CONSTS.GIT_RECEIVE_PACK].includes(url.query.service as string)
+    [GIT_CONSTS.GIT_UPLOAD_PACK, 
GIT_CONSTS.GIT_RECEIVE_PACK].includes(searchParams.get("service") as string)
   );
 }
 
-function isInfoRefs(url: url.UrlWithParsedQuery, method: string) {
+function isInfoRefs(url: URL, searchParams: URLSearchParams, method: string) {
   return (
     method === GIT_HTTP_METHODS.GET &&
     url.pathname!.endsWith(GIT_CONSTS.INFO_REFS) &&
-    [GIT_CONSTS.GIT_UPLOAD_PACK, 
GIT_CONSTS.GIT_RECEIVE_PACK].includes(url.query.service as string)
+    [GIT_CONSTS.GIT_UPLOAD_PACK, 
GIT_CONSTS.GIT_RECEIVE_PACK].includes(searchParams.get("service") as string)
   );
 }
 
-function isPreflightPull(url: url.UrlWithParsedQuery, method: string, headers: 
Record<string, string>) {
+function isPreflightPull(url: URL, method: string, headers: Record<string, 
string>) {
   return (
     method === GIT_HTTP_METHODS.OPTIONS &&
     headers[GIT_CONSTS.ACCESS_CONTROL_HEADERS] === GIT_CONSTS.CONTENT_TYPE &&
@@ -123,7 +124,7 @@ function isPreflightPull(url: url.UrlWithParsedQuery, 
method: string, headers: R
   );
 }
 
-function isPull(url: url.UrlWithParsedQuery, method: string, headers: 
Record<string, string>) {
+function isPull(url: URL, method: string, headers: Record<string, string>) {
   return (
     method === GIT_HTTP_METHODS.POST &&
     headers[GIT_CONSTS.CONTENT_TYPE] === GIT_CONSTS.X_GIT_UPLOAD_PACK_REQUEST 
&&
@@ -131,7 +132,7 @@ function isPull(url: url.UrlWithParsedQuery, method: 
string, headers: Record<str
   );
 }
 
-function isPreflightPush(url: url.UrlWithParsedQuery, method: string, headers: 
Record<string, string>) {
+function isPreflightPush(url: URL, method: string, headers: Record<string, 
string>) {
   return (
     method === GIT_HTTP_METHODS.OPTIONS &&
     headers[GIT_CONSTS.ACCESS_CONTROL_HEADERS] === GIT_CONSTS.CONTENT_TYPE &&
@@ -139,10 +140,10 @@ function isPreflightPush(url: url.UrlWithParsedQuery, 
method: string, headers: R
   );
 }
 
-function isPush(u: url.UrlWithParsedQuery, method: string, headers: 
Record<string, string>) {
+function isPush(url: URL, method: string, headers: Record<string, string>) {
   return (
     method === GIT_HTTP_METHODS.POST &&
     headers[GIT_CONSTS.CONTENT_TYPE] === GIT_CONSTS.X_GIT_RECEIVE_PACK_REQUEST 
&&
-    u.pathname!.endsWith(GIT_CONSTS.GIT_RECEIVE_PACK)
+    url.pathname!.endsWith(GIT_CONSTS.GIT_RECEIVE_PACK)
   );
 }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

(incubator-kie-tools) branch main updated: [kie-tools#3342] Handle reported SAST problems (#3343)

Reply via email to