EZSCALE/terraform-provider-virtfusion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
b86137f0b8eea9287d7ef03645c4c229c0794fbe
terraform-provider-virtfusion/internal/provider/resource_user.go
Andrew ef8fbd530b
Some checks failed
Endpoint Sync Check / check-drift (push) Successful in 50s
Details
CI / build (push) Failing after 1m26s
Details
Fix path injection, sensitive attribute exposure, and error body truncation 
Security fixes from audit:

- Escape user-supplied strings (ext_relation_id, interface_name) with
  url.PathEscape before interpolating into API URL paths, preventing
  path traversal via crafted values like "../admin" or "foo/bar"
- Mark auth token URL attributes as Sensitive in both
  virtfusion_user_auth_token and virtfusion_user_server_auth_token
  resources, since the URL embeds the signed token
- Truncate raw API error response bodies to 500 bytes in error messages
  to prevent leaking sensitive data from verbose Laravel error responses

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 02:07:34 -04:00

6.8 KiB
Raw Blame History

View Raw
Reference in New Issue View Git Blame Copy Permalink