Vulnerability CWE-113 api/api.go:140

[omordyk]

Vulnerability CWE-113 api/api.go:140
http://cwe.mitre.org/data/definitions/113.html
Pr :#4210

Description:
Software places user-controlled input in HTTP headers. An attacker could inject line separators (CR/LF sequences) that could split the response message generated by the software into two messages. The second response is completely under the control of the attacker (intermediate web proxies may cache it), with could produce multiple conditions (web defacement, cache poisoning, cross-site scripting or page hijacking, see CWE-113 for full details). If software needs to generate HTTP headers depending on user-controlled input, such input should be properly neutralized (a white-list validation excluding CR/LF is recommended). Please note that cookies are received and sent in 'Cookie' header in HTTP messages, so if the software generates a Cookie from user input, the input should be properly validated as well.

api/api.go:140
w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))