Describe the bug?

There are various methods in the SDK which take a string parameter and format an endpoint URL. Take this method for example:

A username is taken as a parameter and appended to /api/v1/users/. This could be an issue because the username is not sanitised. If the attacker controls this input it would be possible to call another endpoint by passing something such as fakeuser/grants, fakeusers/groups, or any other endpoint that accepts GET requests. This principle could be used to perform other operations like POST/PUT requests.

This could be dangerous if a consumer of the SDK is not aware that they need to pre-sanitise. In the real world, we can imagine an internal web page for looking up Okta users. A form sends a username to the backend which is passed into GetUser(). Somebody able to access the web page might be able to send crafted inputs to potentially obtain information they shouldn't be able to or perform administrative actions.

What is expected to happen?

The SDK should convey that consumers are expected to sanitise strings to prevent manipulation of endpoint URLs.

What is the actual behavior?

The SDK is vulnerable to manipulation of endpoint URLs via unsanitised input.

Reproduction Steps?

Proof of concept code:

package main

import (
        "context"
        "fmt"
        "github.com/okta/okta-sdk-golang/v2/okta"
)

func main() {
        _, oktaClient, _ := okta.NewClient(
                context.TODO(),
                okta.WithOrgUrl(OKTA_ORG),
                okta.WithToken(OKTA_TOKEN),
        )

        user, resp, err := oktaClient.User.GetUser(ctx, "fakeuser/groups")
        fmt.Printf("%+v %+v %+v\n", user, resp, err)
}

Additional Information?

No response

Golang Version

N/A

SDK Version

v2.12.1

OS version

No response