From c2f60bd7523eceeb7120853849b4923fd8e88519 Mon Sep 17 00:00:00 2001
From: Oleksandr Mordyk <oleksandr.mordyk1994@outlook.com>
Date: Mon, 16 Dec 2024 04:55:42 -0800
Subject: [PATCH] Issue #4208 - Fix vulnerability CWE-113

Signed-off-by: Oleksandr Mordyk <oleksandr.mordyk1994@outlook.com>
---
 agreementbot/api.go | 16 +++++++++++++++-
 api/api.go          | 16 +++++++++++++++-
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/agreementbot/api.go b/agreementbot/api.go
index ba2dc8453..2e16418c7 100644
--- a/agreementbot/api.go
+++ b/agreementbot/api.go
@@ -16,6 +16,7 @@ import (
 	"github.com/open-horizon/anax/worker"
 	"io/ioutil"
 	"net/http"
+	"regexp"
 	"sort"
 	"sync"
 	"time"
@@ -318,11 +319,24 @@ func (a *API) listen(apiListen string) {
 		return
 	}
 
+	isValidInput := func(input string) bool {
+		// Check for CR or LF characters in input
+		re := regexp.MustCompile(`[\r\n]`)
+		return !re.MatchString(input)
+	}
+
 	nocache := func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate")
 			w.Header().Add("Pragma", "no-cache, no-store")
-			w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+
+			input := r.Header.Get("Origin")
+			if !isValidInput(input) {
+				http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest)
+				return
+			}
+
+			w.Header().Add("Access-Control-Allow-Origin", input)
 			w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization")
 			w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
 			h.ServeHTTP(w, r)
diff --git a/api/api.go b/api/api.go
index 978e8c291..6649add85 100644
--- a/api/api.go
+++ b/api/api.go
@@ -13,6 +13,7 @@ import (
 	"github.com/open-horizon/anax/policy"
 	"github.com/open-horizon/anax/worker"
 	"net/http"
+	"regexp"
 	"sync"
 )
 
@@ -133,11 +134,24 @@ func (a *API) router(includeStaticRedirects bool) *mux.Router {
 func (a *API) listen(cfg *config.HorizonConfig) {
 	glog.Info(apiLogString(fmt.Sprintf("Starting Anax API server")))
 
+	isValidInput := func(input string) bool {
+		// Check for CR or LF characters in input
+		re := regexp.MustCompile(`[\r\n]`)
+		return !re.MatchString(input)
+	}
+
 	nocache := func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Add("Cache-Control", "no-cache, no-store, must-revalidate")
 			w.Header().Add("Pragma", "no-cache, no-store")
-			w.Header().Add("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+
+			input := r.Header.Get("Origin")
+			if !isValidInput(input) {
+				http.Error(w, "Input contains invalid newline characters (CR/LF)", http.StatusBadRequest)
+				return
+			}
+
+			w.Header().Add("Access-Control-Allow-Origin", input)
 			w.Header().Add("Access-Control-Allow-Headers", "X-Requested-With, content-type, Authorization")
 			w.Header().Add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
 			h.ServeHTTP(w, r)