Skip to content

writeSSEEvent injects eventName directly into SSE wire format with no newline sanitization #7050

Closed
#7069
Closed
writeSSEEvent injects eventName directly into SSE wire format with no newline sanitization#7050
#7069
Labels
ai-fix-requestedai-processingAI is currently processing this issuekind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.triage/neededNeeds triage
@aashu2006

Description

@aashu2006
aashu2006
opened on Apr 12, 2026

User Request

Type: bug
Target: Console Application
Submitted by: @aashu2006
Console Request ID: ce20ed8f-4405-415f-ae0c-e9c8462b5147

Description

What happened:
In pkg/api/handlers/sse.go:71, eventName is interpolated directly into the SSE wire format:

fmt.Fprintf(w, "event: %s\ndata: %s\n\n", eventName, jsonData)

All current callers pass constants, but the function accepts any string. A future caller passing a user-controlled value containing \ndata: injected\n\n would produce additional injected SSE frames in the stream.

What I expected:
eventName should be validated against the allowed constant set or sanitized by replacing \n and \r characters before formatting.

Steps to reproduce:

  1. Call writeSSEEvent with an eventName containing \ndata: injected\n\n
  2. Observe an additional injected SSE event in the stream output

This issue was automatically created from the KubeStellar Console.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-fix-requestedai-processingAI is currently processing this issuekind/bugCategorizes issue or PR as related to a bug.triage/acceptedIndicates an issue or PR is ready to be actively worked on.triage/neededNeeds triage

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions