Merge pull request #13789 from heww/fix-codeql-errors

fix: fix errors detected by codeql

src/common/utils/uaa/test/server.go

@@ -16,6 +16,7 @@ package test
 
 import (
 	"fmt"
+	"html"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
@@ -60,12 +61,12 @@ func (t *tokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		if reqUsername == t.username && reqPasswd == t.password {
 			serveToken(rw)
 		} else {
-			http.Error(rw, fmt.Sprintf("invalid username/password %s/%s", reqUsername, reqPasswd), http.StatusUnauthorized)
+			http.Error(rw, fmt.Sprintf("invalid username/password %s/%s", html.EscapeString(reqUsername), html.EscapeString(reqPasswd)), http.StatusUnauthorized)
 		}
 	} else if gt == "client_credentials" {
 		serveToken(rw)
 	} else {
-		http.Error(rw, fmt.Sprintf("invalid grant_type: %s", gt), http.StatusBadRequest)
+		http.Error(rw, fmt.Sprintf("invalid grant_type: %s", html.EscapeString(gt)), http.StatusBadRequest)
 		return
 	}
 }
@@ -130,7 +131,7 @@ func (su *searchUserHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request
 		http.Error(rw, "invalid request", http.StatusBadRequest)
 		return
 	}
-	http.Error(rw, fmt.Sprintf("Invalid request, elements: %v", elements), http.StatusBadRequest)
+	http.Error(rw, html.EscapeString(fmt.Sprintf("Invalid request, elements: %v", elements)), http.StatusBadRequest)
 }
 
 // NewMockServer ...

src/core/auth/authproxy/test/server.go

@@ -17,12 +17,14 @@ package test
 import (
 	"encoding/json"
 	"fmt"
-	"github.com/goharbor/harbor/src/common/utils"
+	"html"
 	"io/ioutil"
-	"k8s.io/api/authentication/v1beta1"
 	"net/http"
 	"net/http/httptest"
 	"strings"
+
+	"github.com/goharbor/harbor/src/common/utils"
+	"k8s.io/api/authentication/v1beta1"
 )
 
 type userEntry struct {
@@ -60,7 +62,7 @@ func (ah *authHandler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 				}
 			}
 		}
-		http.Error(rw, fmt.Sprintf("Do not find entry in entrylist, username: %s", u), http.StatusUnauthorized)
+		http.Error(rw, fmt.Sprintf("Do not find entry in entrylist, username: %s", html.EscapeString(u)), http.StatusUnauthorized)
 	}
 }
 
@@ -74,11 +76,11 @@ func (rth *reviewTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque
 	}
 	bodyBytes, err := ioutil.ReadAll(req.Body)
 	if err != nil {
-		http.Error(rw, fmt.Sprintf("failed to read request body, error: %v", err), http.StatusBadRequest)
+		http.Error(rw, html.EscapeString(fmt.Sprintf("failed to read request body, error: %v", err)), http.StatusBadRequest)
 	}
 	reviewData := &v1beta1.TokenReview{}
 	if err := json.Unmarshal(bodyBytes, reviewData); err != nil {
-		http.Error(rw, fmt.Sprintf("failed to decode request body, error: %v", err), http.StatusBadRequest)
+		http.Error(rw, html.EscapeString(fmt.Sprintf("failed to decode request body, error: %v", err)), http.StatusBadRequest)
 	}
 	defer req.Body.Close()
 	for _, e := range rth.entries {
@@ -91,7 +93,7 @@ func (rth *reviewTokenHandler) ServeHTTP(rw http.ResponseWriter, req *http.Reque
 			}
 		}
 	}
-	http.Error(rw, fmt.Sprintf("failed to match token: %s, entrylist: %+v", reviewData.Spec.Token, rth.entries), http.StatusUnauthorized)
+	http.Error(rw, html.EscapeString(fmt.Sprintf("failed to match token: %s, entrylist: %+v", reviewData.Spec.Token, rth.entries)), http.StatusUnauthorized)
 }
 
 // NewMockServer creates the mock server for testing