From 7ac5b4f11426725a7631d3191c506ee2a3703125 Mon Sep 17 00:00:00 2001
From: Sergey Krashevich <svk@svk.su>
Date: Wed, 29 Nov 2023 10:03:39 +0300
Subject: [PATCH] Ensure exit code is within valid range

The exitHandler function now properly validates the exit code provided
in the query string. It checks for conversion errors and ensures the
code is within the valid range of 0 to 125. If the validation fails,
it responds with an HTTP 400 Bad Request error. This prevents potential
misuse of the exit endpoint by restricting the exit codes to expected
values.
---
 internal/api/api.go | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/internal/api/api.go b/internal/api/api.go
index 9f00a6bc..82830806 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -233,7 +233,14 @@ func exitHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	s := r.URL.Query().Get("code")
-	code, _ := strconv.Atoi(s)
+	code, err := strconv.Atoi(s)
+
+	// https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html#tag_18_08_02
+	if err != nil || code < 0 || code > 125 {
+		http.Error(w, "Code must be in the range [0, 125]", http.StatusBadRequest)
+		return
+	}
+
 	os.Exit(code)
 }