pkg/cmd: disable cmdline profile

This route can unintentionally expose secrets provided to via the command-line to those with access to the metrics service. Fixes GHSA-cjr9-mr35-7xh6 CVE-2023-29193
authzed · Apr 13, 2023 · f2b1f9c · f2b1f9c
1 parent 7ecd240
commit f2b1f9c
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/pkg/cmd/server/defaults.go b/pkg/cmd/server/defaults.go
@@ -73,15 +73,21 @@ func DefaultPreRunE(programName string) cobrautil.CobraRunFunc {
 // metrics and pprof endpoints.
 func MetricsHandler(telemetryRegistry *prometheus.Registry) http.Handler {
 	mux := http.NewServeMux()
+
 	mux.Handle("/metrics", promhttp.Handler())
+	if telemetryRegistry != nil {
+		mux.Handle("/telemetry", promhttp.HandlerFor(telemetryRegistry, promhttp.HandlerOpts{}))
+	}
+
 	mux.HandleFunc("/debug/pprof/", pprof.Index)
-	mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
 	mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
 	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
-	if telemetryRegistry != nil {
-		mux.Handle("/telemetry", promhttp.HandlerFor(telemetryRegistry, promhttp.HandlerOpts{}))
-	}
+	mux.HandleFunc("/debug/pprof/cmdline", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNotFound)
+		fmt.Fprintf(w, "This profile type has been disabled to avoid leaking private command-line arguments")
+	})
+
 	return mux
 }