NodyHub
commented
1 year ago Closed after discussion in PR. Reasoning can be found here: https://github.com/hashicorp/go-secure-stdlib/pull/82#issuecomment-1663906217
Closed NodyHub closed 1 year ago
NodyHub
commented
1 year ago Closed after discussion in PR. Reasoning can be found here: https://github.com/hashicorp/go-secure-stdlib/pull/82#issuecomment-1663906217
Is your feature request related to a problem? Please describe. The consul licensing service (CLS) is considering to pipe the User Agent header from the request directly into the storage system. The CLS itself does not further process the value. From a defence-in-depth perspective, a sanitisation of the value before storing is recommended.
Describe the solution you'd like Sanitization of the user agent by remove "unexpected" characters or replace them by a specified one. Existing PoC implementation is here.
Describe alternatives you've considered Let the code life in an own library.
Additional context As after a discussion about sanitization, the first proposed implementation was a deny-list approach, that replaces unexpected characters. Deny-lists tend to be not complete and might miss out disallowed characters. To reduce the chance of re-inventing the wheel across our products, having a security maintained standardization would be great.