Merge pull request #127 from soulteary/fix/G705-XSS-via-taint-analysis

soulteary · web-flow · commit 7aa55354b186 · 2026-03-08T17:11:57.000+08:00
fix: XSS via taint analysis
diff --git a/internal/server/server.go b/internal/server/server.go
@@ -464,6 +464,7 @@ func executeCapturingHook(w http.ResponseWriter, ctx context.Context, matchedHoo
 			logger.Errorf("[%s] hook %s execution failed (command: %s): %v, output captured", requestID, hookID, matchedHook.ExecuteCommand, err)
 			w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 			w.WriteHeader(http.StatusInternalServerError)
+			// #nosec G705 -- response is command stdout/stderr, returned as text/plain; not interpreted as HTML
 			_, _ = fmt.Fprint(w, response)
 		} else {
 			// 为了保持向后兼容性，使用特定的错误消息
@@ -484,10 +485,12 @@ func executeCapturingHook(w http.ResponseWriter, ctx context.Context, matchedHoo
 		// 记录审计日志：执行成功
 		audit.LogHookExecuted(requestID, hookID, ip, userAgent, durationMS)
 
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		// Check if a success return code is configured for the hook
 		if matchedHook.SuccessHttpResponseCode != 0 {
 			writeHttpResponseCode(w, requestID, matchedHook.ID, matchedHook.SuccessHttpResponseCode)
 		}
+		// #nosec G705 -- response is command stdout/stderr, returned as text/plain; not interpreted as HTML
 		_, _ = fmt.Fprint(w, response)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -464,6 +464,7 @@ func executeCapturingHook(w http.ResponseWriter, ctx context.Context, matchedHoo`
`464`	`464`	`logger.Errorf("[%s] hook %s execution failed (command: %s): %v, output captured", requestID, hookID, matchedHook.ExecuteCommand, err)`
`465`	`465`	`w.Header().Set("Content-Type", "text/plain; charset=utf-8")`
`466`	`466`	`w.WriteHeader(http.StatusInternalServerError)`
	`467`	`+ // #nosec G705 -- response is command stdout/stderr, returned as text/plain; not interpreted as HTML`
`467`	`468`	`_, _ = fmt.Fprint(w, response)`
`468`	`469`	`} else {`
`469`	`470`	`// 为了保持向后兼容性，使用特定的错误消息`
`@@ -484,10 +485,12 @@ func executeCapturingHook(w http.ResponseWriter, ctx context.Context, matchedHoo`
`484`	`485`	`// 记录审计日志：执行成功`
`485`	`486`	`audit.LogHookExecuted(requestID, hookID, ip, userAgent, durationMS)`
`486`	`487`
	`488`	`+ w.Header().Set("Content-Type", "text/plain; charset=utf-8")`
`487`	`489`	`// Check if a success return code is configured for the hook`
`488`	`490`	`if matchedHook.SuccessHttpResponseCode != 0 {`
`489`	`491`	`writeHttpResponseCode(w, requestID, matchedHook.ID, matchedHook.SuccessHttpResponseCode)`
`490`	`492`	`}`
	`493`	`+ // #nosec G705 -- response is command stdout/stderr, returned as text/plain; not interpreted as HTML`
`491`	`494`	`_, _ = fmt.Fprint(w, response)`
`492`	`495`	`}`
`493`	`496`	`}`