Skip to content

Fix request method and URI handling in allocation API and node agent#513

Merged
dgkanatsios merged 1 commit into
mainfrom
copilot/check-vulnerability-report
Jun 9, 2026
Merged

Fix request method and URI handling in allocation API and node agent#513
dgkanatsios merged 1 commit into
mainfrom
copilot/check-vulnerability-report

Conversation

Copilot AI commented Jun 9, 2026

Copy link
Copy Markdown
Contributor

Two handlers could process requests they should have rejected.

Changes

  • Allocation API (pkg/operator/controllers/allocation_api_server.go): the non-POST/PATCH branch reported the error but lacked a return, so disallowed methods fell through and still allocated a game server. Added the return.
if r.Method != http.MethodPost && r.Method != http.MethodPatch {
    badRequestError(w, s.logger, errors.New("invalid method"), "Only POST and PATCH are accepted")
    return // added
}
  • Node agent (cmd/nodeagent/nodeagentmanager.go): heartbeatHandler indexed match[1] without checking the regex result, panicking when the request URI didn't match the expected pattern. Added a nil-match guard returning 400.
match := re.FindStringSubmatch(r.RequestURI)
if match == nil {
    badRequest(w, fmt.Errorf("invalid request URI"), "cannot parse game server name")
    return
}
gameServerName := match[1]

Tests

  • GET with a valid body is rejected and does not allocate.
  • Heartbeat request whose URI doesn't match the pattern returns 400 instead of panicking.

@dgkanatsios dgkanatsios merged commit 9646c25 into main Jun 9, 2026
6 checks passed
@dgkanatsios dgkanatsios deleted the copilot/check-vulnerability-report branch June 9, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants