validate user input for log level

Signed-off-by: hfuss <hayden.fuss@kaleido.io>

Author: onelapahead

pkg/ffapi/apiserver.go

@@ -402,7 +402,19 @@ func (as *apiServer[T]) loggingSettingsHandler(_ http.ResponseWriter, req *http.
 	}
 	logLevel := req.URL.Query().Get("level")
 	if logLevel != "" {
-		log.L(log.WithLogFieldsMap(req.Context(), map[string]string{"new_level": logLevel})).Warn("changing log level", logLevel)
+		l := log.L(log.WithLogFieldsMap(req.Context(), map[string]string{"new_level": logLevel}))
+		switch strings.ToLower(logLevel) {
+		case "error":
+		case "debug":
+		case "trace":
+		case "info":
+		case "warn":
+			// noop - all valid levels
+		default:
+			l.Warn("invalid log level")
+			return http.StatusBadRequest, i18n.NewError(req.Context(), i18n.MsgInvalidLogLevel, logLevel)
+		}
+		l.Warn("changing log level", logLevel)
 		log.SetLevel(logLevel)
 	}
 

pkg/i18n/en_base_error_messages.go

@@ -191,5 +191,5 @@ var (
 	MsgNonExistDefaultAPIVersion                   = ffe("FF00254", "Default version '%s' does not exist")
 	MsgRoutePathNotStartWithSlash                  = ffe("FF00255", "Route path '%s' must not start with '/'")
 	MsgMethodNotAllowed                            = ffe("FF00256", "Method not allowed", http.StatusMethodNotAllowed)
-	MsgMissingLogLevel                             = ffe("FF00257", "Missing log level", http.StatusBadRequest)
+	MsgInvalidLogLevel                             = ffe("FF00257", "Invalid log level: '%s'", http.StatusBadRequest)
 )