Skip to content

Security: Sensitive Header Names Not Validated for Env Var Safety#5723

Open
tomaioo wants to merge 1 commit into
stacklok:mainfrom
tomaioo:fix/security/sensitive-header-names-not-validated-for
Open

Security: Sensitive Header Names Not Validated for Env Var Safety#5723
tomaioo wants to merge 1 commit into
stacklok:mainfrom
tomaioo:fix/security/sensitive-header-names-not-validated-for

Conversation

@tomaioo

@tomaioo tomaioo commented Jul 4, 2026

Copy link
Copy Markdown

Summary

Security: Sensitive Header Names Not Validated for Env Var Safety

Problem

Severity: Medium | File: cmd/thv-operator/pkg/controllerutil/telemetry.go:L52

In GenerateOpenTelemetryEnvVarsFromRef, the normalizeHeaderEnvVarName function converts header names to environment variable names by only replacing dashes with underscores and uppercasing. However, it does not validate that the resulting string is a valid environment variable name (e.g., it could start with a digit, contain invalid characters, or be empty). This could lead to invalid environment variable configurations in pods. More critically, if a malicious user can control header names through the CRD, they could potentially craft header names that cause unexpected behavior or conflicts with system environment variables.

Solution

Add validation to normalizeHeaderEnvVarName to ensure the resulting environment variable name is valid: must start with a letter or underscore, contain only alphanumeric characters and underscores, and not exceed standard env var length limits. Also consider adding a prefix to avoid collisions with system environment variables.

Changes

  • cmd/thv-operator/pkg/controllerutil/telemetry.go (modified)

In `GenerateOpenTelemetryEnvVarsFromRef`, the `normalizeHeaderEnvVarName` function converts header names to environment variable names by only replacing dashes with underscores and uppercasing. However, it does not validate that the resulting string is a valid environment variable name (e.g., it could start with a digit, contain invalid characters, or be empty). This could lead to invalid environment variable configurations in pods. More critically, if a malicious user can control header names through the CRD, they could potentially craft header names that cause unexpected behavior or conflicts with system environment variables.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant