Potentially unsafe quoting security bug

[arpitjain099]

There's a potential security related bug in utils/zpe-updater/zpu_client.go:335

Reason:
Code that constructs a quoted string literal containing user-provided data needs to ensure that this data does not itself contain a quote. Otherwise the embedded data could (accidentally or intentionally) terminate the string literal early and thereby change the structure of the overall string, with potentially severe consequences. If, for example, the string is later used as part of an operating-system command or database query, an attacker may be able to craft input data that injects a malicious command.

[havetisyan]

That is not a valid issue. The data itself is not user generated - it's the data received from the server. And the client needs to put the json fields in the canonical order so the signature is correctly verified. The change included in the request will no longer guarantee the order of the fields and as such will probably break some clients and as such will not be accepted.

btw, if you're using zpu updater, then the code you're referencing is also deprecated. The recommended option is to use the JWS format to download your domain policies where there is no ambiguity wrt to signature verification.

[arpitjain099]

@havetisyan noted. Thank you for the clarification. I opened a PR because there is still code related to zpu_updater. The changes in the PR should then suffice as improving code quality while not addressing a security vulnerability (as codeql suggested). Please review.

Again, thanks for the comment.