Skip to content

Commit 2afcd2e

Browse files
CodeShellDevCodeShellDev
committed
remove query params with @ after successful injection into JSON Body
1 parent c4ec34e commit 2afcd2e

File tree

1 file changed

+11
-1
lines changed

1 file changed

+11
-1
lines changed

internals/proxy/proxy.go

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -103,7 +103,11 @@ func AuthMiddleware(next http.Handler) http.Handler {
103103
if authToken == token {
104104
success = true
105105

106-
req.URL.Query().Del("@authorization")
106+
modifiedQuery := req.URL.Query()
107+
108+
modifiedQuery.Del("@authorization")
109+
110+
req.URL.RawQuery = modifiedQuery.Encode()
107111
}
108112
}
109113

@@ -166,15 +170,21 @@ func TemplatingMiddleware(next http.Handler, VARIABLES map[string]string) http.H
166170
query, _ := renderTemplate("query", req.URL.RawQuery, VARIABLES)
167171

168172
queryData, _ := url.ParseQuery(query)
173+
174+
modifiedQuery := req.URL.Query()
169175

170176
for key, value := range queryData {
171177
keyWithoutPrefix, found := strings.CutPrefix(key, "@")
172178

173179
if found {
174180
modifiedBodyData[keyWithoutPrefix] = value
181+
182+
modifiedQuery.Del(key)
175183
}
176184
}
177185

186+
req.URL.RawQuery = modifiedQuery.Encode()
187+
178188
modifiedBodyBytes, err = json.Marshal(modifiedBodyData)
179189

180190
if err != nil {

0 commit comments

Comments
 (0)