Validate /dump-* requests method & add some logging

yhabteab · julianbrost · commit 496119da3061 · 2023-05-26T16:11:49.000+02:00
diff --git a/internal/listener/listener.go b/internal/listener/listener.go
@@ -168,6 +168,8 @@ func (l *Listener) checkDebugPassword(w http.ResponseWriter, r *http.Request) bo
 
 	_, providedPassword, _ := r.BasicAuth()
 	if subtle.ConstantTimeCompare([]byte(expectedPassword), []byte(providedPassword)) != 1 {
+		l.logger.Warnw("Unauthorized request", zap.String("url", r.RequestURI))
+
 		w.Header().Set("WWW-Authenticate", `Basic realm="debug"`)
 		w.WriteHeader(http.StatusUnauthorized)
 		_, _ = fmt.Fprintln(w, "please provide the debug-password as basic auth credentials (user is ignored)")
@@ -178,6 +180,12 @@ func (l *Listener) checkDebugPassword(w http.ResponseWriter, r *http.Request) bo
 }
 
 func (l *Listener) DumpConfig(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_, _ = fmt.Fprintln(w, "GET required")
+		return
+	}
+
 	if !l.checkDebugPassword(w, r) {
 		return
 	}
@@ -188,6 +196,12 @@ func (l *Listener) DumpConfig(w http.ResponseWriter, r *http.Request) {
 }
 
 func (l *Listener) DumpIncidents(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_, _ = fmt.Fprintln(w, "GET required")
+		return
+	}
+
 	if !l.checkDebugPassword(w, r) {
 		return
 	}
