Merge branch 'main' of github.com:kyma-project/busola into bump-backend

Author: OliwiaGowor

backend/common.js

@@ -7,6 +7,7 @@ const express = require('express');
 const path = require('path');
 const fs = require('fs');
 const uuid = require('uuid').v4;
+const escape = require('lodash.escape');
 
 // https://github.tools.sap/sgs/SAP-Global-Trust-List/blob/master/approved.pem
 const certs = fs.readFileSync('certs.pem', 'utf8');
@@ -47,7 +48,7 @@ export const makeHandleRequest = () => {
         id: req.id,
         method: req.method,
         url: req.url,
-        apiServerAddress: req.headers['x-cluster-url'],
+        apiServerAddress: escape(req.headers['x-cluster-url']),
         code: req.code,
         stack: req.stack,
         type: req.type,
@@ -63,6 +64,7 @@ export const makeHandleRequest = () => {
       headersData = extractHeadersData(req);
     } catch (e) {
       req.log.error('Headers error:' + e.message);
+      res.contentType('text/plain');
       res.status(400).send('Headers are missing or in a wrong format.');
       return;
     }
@@ -71,7 +73,8 @@ export const makeHandleRequest = () => {
       filters.forEach(filter => filter(req, headersData));
     } catch (e) {
       req.log.error('Filters rejected the request: ' + e.message);
-      res.status(400).send('Request ID: ' + req.id);
+      res.contentType('text/plain');
+      res.status(400).send('Request ID: ' + escape(req.id));
       return;
     }
 
@@ -120,7 +123,10 @@ export const makeHandleRequest = () => {
 
     function throwInternalServerError(originalError) {
       req.log.warn(originalError);
-      res.status(502).send('Request ID: ' + req.id);
+      res.contentType('text/plain');
+      res
+        .status(502)
+        .send('Internal server error. Request ID: ' + escape(req.id));
     }
   };
 };
@@ -143,11 +149,19 @@ function extractHeadersData(req) {
   const clientKeyDataHeader = 'x-client-key-data';
   const authorizationHeader = 'x-k8s-authorization';
   let targetApiServer;
+
   if (req.headers[urlHeader]) {
-    targetApiServer = handleDockerDesktopSubsitution(
-      new URL(req.headers[urlHeader]),
-    );
+    try {
+      targetApiServer = handleDockerDesktopSubsitution(
+        new URL(req.headers[urlHeader]),
+      );
+    } catch (e) {
+      throw new Error('Invalid cluster URL provided.');
+    }
+  } else {
+    throw new Error('Missing required cluster URL.');
   }
+
   const ca = decodeHeaderToBuffer(req.headers[caHeader]) || certs;
   const cert = decodeHeaderToBuffer(req.headers[clientCAHeader]);
   const key = decodeHeaderToBuffer(req.headers[clientKeyDataHeader]);

backend/package-lock.json

@@ -20,6 +20,7 @@
     "https": "^1.0.0",
     "jose": "^5.2.4",
     "js-yaml": "^4.1.0",
+    "lodash.escape": "^4.0.1",
     "lodash.merge": "^4.6.2",
     "pino-http": "^5.7.0",
     "uuid": "^8.3.2"