sanitize specified URL in requests for TLS certs

Signed-off-by: Arik Hadas <[email protected]>
ahadas · May 15, 2024 · 0210cdd · 0210cdd
1 parent 3848777
commit 0210cdd
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/pkg/controller/provider/validation.go b/pkg/controller/provider/validation.go
@@ -234,7 +234,8 @@ func (r *Reconciler) validateSecret(provider *api.Provider) (secret *core.Secret
 			})
 		}
 
-		if crt, err := util.GetTlsCertificate(provider.Spec.URL, secret); err == nil {
+		url, _ := url.Parse(provider.Spec.URL)
+		if crt, err := util.GetTlsCertificate(url, secret); err == nil {
 			provider.Status.Fingerprint = util.Fingerprint(crt)
 		} else {
 			log.Error(err, "failed to get TLS certificate", "url", provider.Spec.URL)

diff --git a/pkg/forklift-api/services/tls-certificate.go b/pkg/forklift-api/services/tls-certificate.go
@@ -4,15 +4,16 @@ import (
 	"encoding/pem"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"github.com/konveyor/forklift-controller/pkg/lib/util"
 	core "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func serveTlsCertificate(resp http.ResponseWriter, req *http.Request, client client.Client) {
-	if url := req.URL.Query().Get("URL"); url != "" {
-		log.Info("received a request to retrieve certificate", "url", url)
+	if url, err := url.Parse(req.URL.Query().Get("URL")); err == nil {
+		log.Info("received a request to retrieve certificate", "URL", url)
 		secret := &core.Secret{
 			Data: map[string][]byte{"insecureSkipVerify": []byte("true")},
 		}
@@ -31,6 +32,7 @@ func serveTlsCertificate(resp http.ResponseWriter, req *http.Request, client cli
 			http.Error(resp, err.Error(), http.StatusInternalServerError)
 		}
 	} else {
-		http.Error(resp, "Required parameter is missing: URL", http.StatusBadRequest)
+		log.Error(err, "received invalid URL", "URL", req.URL.Query().Get("URL"))
+		http.Error(resp, "Required parameter is invalid: URL", http.StatusBadRequest)
 	}
 }
diff --git a/pkg/lib/util/util.go b/pkg/lib/util/util.go
@@ -14,19 +14,18 @@ import (
 	core "k8s.io/api/core/v1"
 )
 
-func GetTlsCertificate(url string, secret *core.Secret) (crt *x509.Certificate, err error) {
+func GetTlsCertificate(url *liburl.URL, secret *core.Secret) (crt *x509.Certificate, err error) {
 	cfg, err := tlsConfig(secret)
 	if err != nil {
 		return
 	}
 
-	if parsedUrl, _ := liburl.Parse(url); parsedUrl.Port() == "" {
-		url = parsedUrl.Host + ":443"
-	} else {
-		url = parsedUrl.Host
+	host := url.Host
+	if url.Port() == "" {
+		host += ":443"
 	}
 
-	conn, err := tls.Dial("tcp", url, cfg)
+	conn, err := tls.Dial("tcp", host, cfg)
 	if err == nil && len(conn.ConnectionState().PeerCertificates) > 0 {
 		crt, err = x509.ParseCertificate(conn.ConnectionState().PeerCertificates[0].Raw)
 	} else {