From 14680abe92e904affb8cd93c31ef503f80eb8aff Mon Sep 17 00:00:00 2001
From: Jimmy Zelinskie <jimmy@zelinskie.com>
Date: Thu, 13 Apr 2023 11:51:01 -0400
Subject: [PATCH] Merge pull request from GHSA-cjr9-mr35-7xh6

pkg/cmd: disable cmdline profile
---
 pkg/cmd/server/defaults.go | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/pkg/cmd/server/defaults.go b/pkg/cmd/server/defaults.go
index 3ea464a422..7fcf2be57b 100644
--- a/pkg/cmd/server/defaults.go
+++ b/pkg/cmd/server/defaults.go
@@ -73,15 +73,21 @@ func DefaultPreRunE(programName string) cobrautil.CobraRunFunc {
 // metrics and pprof endpoints.
 func MetricsHandler(telemetryRegistry *prometheus.Registry) http.Handler {
 	mux := http.NewServeMux()
+
 	mux.Handle("/metrics", promhttp.Handler())
+	if telemetryRegistry != nil {
+		mux.Handle("/telemetry", promhttp.HandlerFor(telemetryRegistry, promhttp.HandlerOpts{}))
+	}
+
 	mux.HandleFunc("/debug/pprof/", pprof.Index)
-	mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
 	mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
 	mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
 	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
-	if telemetryRegistry != nil {
-		mux.Handle("/telemetry", promhttp.HandlerFor(telemetryRegistry, promhttp.HandlerOpts{}))
-	}
+	mux.HandleFunc("/debug/pprof/cmdline", func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusNotFound)
+		fmt.Fprintf(w, "This profile type has been disabled to avoid leaking private command-line arguments")
+	})
+
 	return mux
 }