Cross-Site Scripting: Reflected in tcp.go

[hpraj2786]

Source Location : tcp.go:110 Code Snippet: clientConn.Close() } else { _, err = clientConn.Write(data[:length]) if err != nil { klog.Errorf("Error writing the first 4k of proxy data: %v", err)

Source Location: tcp.go:65

Code Snippet: data := make([]byte, 16384)

length, err := conn.Read(data)
if err != nil {
    klog.V(4).ErrorS(err, "Error reading data from the connection")

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[strongjz]

@hpraj2786 Could you explain the issue in some more depth, just posting code is not helpful.

/triage needs-information

[hpraj2786]

@strongjz

The error for reading data from conn is not handled properly, possibly causing the program to fail silently. Also, closing the connection (clientConn.Close()) without properly handling the error in the else branch after attempting to write to the connection.

[hpraj2786]

FORTIFY software is reporting this issue as Cross-Site Scripting.

[longwuyuan]

@hpraj2786 can you create a kind cluster and run a deployment. Then send a curl request and show the cross-site-scripting occuring .

[longwuyuan]

/remove-kind bug

[github-actions[bot]]

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.