chore: return safe copy of string slice in 'ParseStringSliceClaim' (#17439)

Emyrk · web-flow · commit 37c5e7c44034 · 2025-04-28T12:18:02.000-05:00
Claims parsed should be safe to mutate and filter. This was likely not
causing any bugs or issues, and just doing this out of precaution
diff --git a/coderd/idpsync/idpsync.go b/coderd/idpsync/idpsync.go
@@ -186,7 +186,9 @@ func ParseStringSliceClaim(claim interface{}) ([]string, error) {
 	// The simple case is the type is exactly what we expected
 	asStringArray, ok := claim.([]string)
 	if ok {
-		return asStringArray, nil
+		cpy := make([]string, len(asStringArray))
+		copy(cpy, asStringArray)
+		return cpy, nil
 	}
 
 	asArray, ok := claim.([]interface{})
diff --git a/coderd/idpsync/idpsync_test.go b/coderd/idpsync/idpsync_test.go
@@ -136,6 +136,17 @@ func TestParseStringSliceClaim(t *testing.T) {
 	}
 }
 
+func TestParseStringSliceClaimReference(t *testing.T) {
+	t.Parallel()
+
+	var val any = []string{"a", "b", "c"}
+	parsed, err := idpsync.ParseStringSliceClaim(val)
+	require.NoError(t, err)
+
+	parsed[0] = ""
+	require.Equal(t, "a", val.([]string)[0], "should not modify original value")
+}
+
 func TestIsHTTPError(t *testing.T) {
 	t.Parallel()
 
