Closed vmercierfr closed 7 months ago
Is your feature request related to a problem? Please describe.
The Semgrep audit tool reported that the code used for the RDS exporter homepage is vulnerable to XSS (Limited to build information and index path)
Describe the solution you'd like:
Fix the Semgrep alert:
internal/infra/http/index.go go.lang.security.audit.xss.no-fprintf-to-responsewriter.no-fprintf-to-responsewriter Detected 'Fprintf' or similar writing to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users. Details: https://sg.run/7oqR 15┆ fmt.Fprintf(w, `<html> 16┆ <head> 17┆ <title>Prometheus RDS Exporter</title> 18┆ </head> 19┆ <body> 20┆ <h1>Prometheus RDS Exporter (%s)</h1> 21┆ <p><a href='%s'>Metrics</a></p> 22┆ </body> 23┆ </html>`, build.Version, h.metricPath)
here in the code
We should use Golang built-in html/template to escape characters automatically.
Describe alternatives you've considered
n/a
Additional context
Is your feature request related to a problem? Please describe.
The Semgrep audit tool reported that the code used for the RDS exporter homepage is vulnerable to XSS (Limited to build information and index path)
Describe the solution you'd like:
Fix the Semgrep alert:
here in the code
We should use Golang built-in html/template to escape characters automatically.
Describe alternatives you've considered
n/a
Additional context