Don't echo back the provided path on a 404 error

This gets flagged up by security scans a potential cross-site scripting vector - I suspect that this would be quite difficult to exploit for real, but I'm making this fix because it removes spurious XSS warnings on scans but doesn't affect useful function. Signed-off-by: Rob Day <rkd@rkd.me.uk>
fluent · Jun 22, 2021 · 355e555 · 355e555
1 parent 5bc4c6b
commit 355e555
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/fluent/plugin_helper/http_server/router.rb b/lib/fluent/plugin_helper/http_server/router.rb
@@ -22,7 +22,7 @@ module HttpServer
       class Router
         class NotFoundApp
           def self.call(req)
-            [404, { 'Content-Type' => 'text/plain' }, "404 Not Found: #{req.path}\n"]
+            [404, { 'Content-Type' => 'text/plain' }, "404 Not Found\n"]
           end
         end
 

diff --git a/test/plugin_helper/http_server/test_route.rb b/test/plugin_helper/http_server/test_route.rb
@@ -20,7 +20,7 @@ class HttpHelperRouterTest < Test::Unit::TestCase
       test 'use default app if path is not found' do
         router = Fluent::PluginHelper::HttpServer::Router.new
         req = flexmock('request', path: 'path/')
-        assert_equal(router.route!(:get, '/path/', req), [404, { 'Content-Type' => 'text/plain' }, "404 Not Found: #{req.path}\n"])
+        assert_equal(router.route!(:get, '/path/', req), [404, { 'Content-Type' => 'text/plain' }, "404 Not Found\n"])
       end
 
       test 'default app is configurable' do