fix: mock body render missing context#630

LinuxSuRen · 2025-02-25T01:10:46Z

We highly recommend you read the contributor's documentation before starting the review process especially since this is your first contribution to this project.

It was updated on 2024/5/27

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

sonarqubecloud · 2025-02-25T01:11:12Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2025-02-25T01:11:44Z

There are 1 test cases, failed count 0:

Name	Average	Max	Min	Count	Error
	9.875106ms	10.465689ms	9.245315ms	3	0

Reported by api-testing.

pkg/mock/in_memory.go

+	} else {
+		if h.item.Response.BodyData, err = render.RenderAsBytes("start-item", h.item.Response.Body, h.item); err != nil {
+			fmt.Printf("failed to render body: %v", err)
+		}


To fix the reflected cross-site scripting vulnerability, we need to ensure that any user-controlled data is properly sanitized or escaped before being written to the HTTP response. In this case, we can use the html.EscapeString function from the html package to escape any potentially dangerous characters in the response body.

We will modify the writeResponse function to escape the data before writing it to the response.

This change will be made in the pkg/mock/in_memory.go file.

We need to import the html package to use the html.EscapeString function.

codacy-production · 2025-02-25T01:12:42Z

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.22% (target: -1.00%)	❌ 71.47% (target: 80.00%)

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (`cc5a463`)	19110	7873	41.20%
Head commit (`0122bbc`)	19399 (+289)	8035 (+162)	41.42% (+0.22%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#630)	375	268	71.47%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings Change summary preferences

_{Codacy stopped sending the deprecated coverage status on June 5th, 2024. Learn more}

LinuxSuRen and others added 2 commits February 24, 2025 06:28

fix: mock body render missing context

53acdbf

feat: add support for repo parameter in mock response body

0122bbc

LinuxSuRen added the bug Something isn't working label Feb 25, 2025

LinuxSuRen requested a review from yuluo-yx as a code owner February 25, 2025 01:10

github-advanced-security bot found potential problems Feb 25, 2025

View reviewed changes

LinuxSuRen merged commit 6908433 into master Feb 25, 2025
20 of 21 checks passed

LinuxSuRen deleted the fix/mock-body-render branch February 25, 2025 09:16

@@ -40,2 +40,3 @@
             	"github.com/gorilla/mux"
+            	"html"
             )
@@ -365,3 +366,4 @@
             	if err == nil {
-            		w.Write(data)
+            		escapedData := html.EscapeString(string(data))
+            		w.Write([]byte(escapedData))
             	} else {

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: mock body render missing context#630