EZSCALE/terraform-provider-virtfusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Fix path injection, sensitive attribute exposure, and error body truncation
Some checks failed
Endpoint Sync Check / check-drift (push) Successful in 50s
Details
CI / build (push) Failing after 1m26s
Details

Browse Source 
Security fixes from audit:

- Escape user-supplied strings (ext_relation_id, interface_name) with
  url.PathEscape before interpolating into API URL paths, preventing
  path traversal via crafted values like "../admin" or "foo/bar"
- Mark auth token URL attributes as Sensitive in both
  virtfusion_user_auth_token and virtfusion_user_server_auth_token
  resources, since the URL embeds the signed token
- Truncate raw API error response bodies to 500 bytes in error messages
  to prevent leaking sensitive data from verbose Laravel error responses

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andrew Murray
2026-03-16 02:07:34 -04:00
parent 6b7430b67b
commit ef8fbd530b
7 changed files with 30 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/provider/resource_user_password_reset.go
View File

@@ -6,6 +6,7 @@ package provider
import (
"context"
"fmt"
"net/url"
"time"
"terraform-provider-virtfusion/internal/client"
@@ -96,7 +97,7 @@ func (r *UserPasswordResetResource) Create(ctx context.Context, req resource.Cre
return
}
apiPath := fmt.Sprintf("/users/%s/byExtRelation/resetPassword", data.ExtRelationID.ValueString())
apiPath := fmt.Sprintf("/users/%s/byExtRelation/resetPassword", url.PathEscape(data.ExtRelationID.ValueString()))
_, err := r.client.Post(ctx, apiPath, nil)
if err != nil {
resp.Diagnostics.AddError(