From 8494aa9c677e5d9f61a19cdf731793bd186c6adb Mon Sep 17 00:00:00 2001
From: Steven Masley <stevenmasley@gmail.com>
Date: Wed, 16 Apr 2025 17:43:10 -0500
Subject: [PATCH] chore: return safe copy of string slice in
 'ParseStringSliceClaim'

Claims parsed should be safe to mutate and filter. This was likely
not causing any bugs or issues, and just doing this out of precaution
---
 coderd/idpsync/idpsync.go      |  4 +++-
 coderd/idpsync/idpsync_test.go | 11 +++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/coderd/idpsync/idpsync.go b/coderd/idpsync/idpsync.go
index 4da101635bd23..2772a1b1ec2b4 100644
--- a/coderd/idpsync/idpsync.go
+++ b/coderd/idpsync/idpsync.go
@@ -186,7 +186,9 @@ func ParseStringSliceClaim(claim interface{}) ([]string, error) {
 	// The simple case is the type is exactly what we expected
 	asStringArray, ok := claim.([]string)
 	if ok {
-		return asStringArray, nil
+		cpy := make([]string, len(asStringArray))
+		copy(cpy, asStringArray)
+		return cpy, nil
 	}
 
 	asArray, ok := claim.([]interface{})
diff --git a/coderd/idpsync/idpsync_test.go b/coderd/idpsync/idpsync_test.go
index 7dc29d903af3f..317122ddc6092 100644
--- a/coderd/idpsync/idpsync_test.go
+++ b/coderd/idpsync/idpsync_test.go
@@ -136,6 +136,17 @@ func TestParseStringSliceClaim(t *testing.T) {
 	}
 }
 
+func TestParseStringSliceClaimReference(t *testing.T) {
+	t.Parallel()
+
+	var val any = []string{"a", "b", "c"}
+	parsed, err := idpsync.ParseStringSliceClaim(val)
+	require.NoError(t, err)
+
+	parsed[0] = ""
+	require.Equal(t, "a", val.([]string)[0], "should not modify original value")
+}
+
 func TestIsHTTPError(t *testing.T) {
 	t.Parallel()