Fix: Improper Neutralization of Input During Escaping of Output Reflected cross-site scripting

[opsysdebug]

harbor/src/lib/response_recorder.go

Line 38 in ebc340a

return r.ResponseWriter.Write(data)

Directly writing user input (an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.This kind of vulnerability is also called reflected cross-site scripting, to distinguish it from other types of cross-site scripting.

fix the reflected XSS vulnerability, we should ensure that any user-controlled data written to an HTTP response is properly escaped for HTML context. In this case, the Write method of ResponseRecorder should escape the data if it is being used to write log output that may contain user input. The best way to do this is to use Go's html.EscapeString function to sanitize the data before writing it to the response. Since Write receives a byte slice, we should convert it to a string, escape it, and then write the escaped string as bytes. This change should be made in src/lib/response_recorder.go, specifically in the Write method. need to import the html package in this file to use html.EscapeString.

Please indicate you've done the following:

• Well Written Title and Summary of the PR
• Label the PR as needed. "release-note/ignore-for-release, release-note/new-feature, release-note/update, release-note/enhancement, release-note/community, release-note/breaking-change, release-note/docs, release-note/infra, release-note/deprecation"
• Accepted the DCO. Commits without the DCO will delay acceptance.
• Made sure tests are passing and test coverage is added if needed.
• Considered the docs impact and opened a new docs issue or PR with docs changes if needed in website repository.

[reasonerjt]

Considering the usage case of ResponseRecorder, which is mainly for capturing the response of Harbor's API.
Is there really a case to potentially form this attack?

[reasonerjt]

@wy65701436 Could you please double check and follow up?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 46.69%. Comparing base (c8c11b4) to head (ad8d7d3).
⚠️ Report is 521 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #22207      +/-   ##
==========================================
+ Coverage   45.36%   46.69%   +1.32%     
==========================================
  Files         244      252       +8     
  Lines       13333    14248     +915     
  Branches     2719     2925     +206     
==========================================
+ Hits         6049     6653     +604     
- Misses       6983     7242     +259     
- Partials      301      353      +52     

Flag	Coverage Δ
unittests	46.69% <ø> (+1.32%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 178 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.