fix: escape use input in debug route (#1299)

## Which problem is this PR solving? - The debug endpoint doesn't sanitize the user input before using it in the response. ## Short description of the changes - use `html.EscapeString` to escape the user's input string for use in refinery and the response.
honeycombio · Aug 26, 2024 · ea810a5 · ea810a5
1 parent 7c56f56
commit ea810a5
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/route/route.go b/route/route.go
@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"html"
 	"io"
 	"math"
 	"net"
@@ -303,7 +304,7 @@ func (r *Router) version(w http.ResponseWriter, req *http.Request) {
 func (r *Router) debugTrace(w http.ResponseWriter, req *http.Request) {
 	traceID := mux.Vars(req)["traceID"]
 	shard := r.Sharder.WhichShard(traceID)
-	w.Write([]byte(fmt.Sprintf(`{"traceID":"%s","node":"%s"}`, traceID, shard.GetAddress())))
+	w.Write([]byte(fmt.Sprintf(`{"traceID":"%s","node":"%s"}`, html.EscapeString(traceID), shard.GetAddress())))
 }
 
 func (r *Router) getSamplerRules(w http.ResponseWriter, req *http.Request) {