fix: Gosec/sec fixes (#2004)

* Customization of the initialization file * fix: G601 (CWE-118): Implicit memory aliasing in for loop * fix: G304 (CWE-22): Potential file inclusion via variable * fix: G110 (CWE-409): Potential DoS vulnerability via decompression bomb
2025-05-22 18:25:47 +08:00 · 2023-06-21 13:55:20 +03:00 · 2023-06-21 13:55:20 +03:00 · 6ebca6dbe7
commit 6ebca6dbe7
parent d505a4bf2d
11 changed files with 25 additions and 9 deletions
--- a/controllers/user_upload.go
+++ b/controllers/user_upload.go
@ -19,13 +19,14 @@ import (
 	"io"
 	"mime/multipart"
 	"os"
+	"path/filepath"

 	"github.com/casdoor/casdoor/object"
 	"github.com/casdoor/casdoor/util"
 )

 func saveFile(path string, file *multipart.File) (err error) {
-	f, err := os.Create(path)
+	f, err := os.Create(filepath.Clean(path))
 	if err != nil {
 		return err
 	}
--- a/deployment/deploy.go
+++ b/deployment/deploy.go
@ -17,6 +17,7 @@ package deployment
 import (
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"

 	"github.com/casdoor/casdoor/object"
@ -45,7 +46,7 @@ func uploadFolder(storageProvider oss.StorageInterface, folder string) {
 			continue
 		}

-		file, err := os.Open(path + filename)
+		file, err := os.Open(filepath.Clean(path + filename))
 		if err != nil {
 			panic(err)
 		}
--- a/object/permission_upload.go
+++ b/object/permission_upload.go
@ -43,6 +43,7 @@ func UploadPermissions(owner string, fileId string) (bool, error) {

 	newPermissions := []*Permission{}
 	for index, line := range table {
+		line := line
 		if index == 0 || parseLineItem(&line, 0) == "" {
 			continue
 		}
--- a/object/role_upload.go
+++ b/object/role_upload.go
@ -43,6 +43,7 @@ func UploadRoles(owner string, fileId string) (bool, error) {

 	newRoles := []*Role{}
 	for index, line := range table {
+		line := line
 		if index == 0 || parseLineItem(&line, 0) == "" {
 			continue
 		}
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -260,10 +260,17 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 	// decompress
 	var buffer bytes.Buffer
 	rdr := flate.NewReader(bytes.NewReader(defated))
-	_, err = io.Copy(&buffer, rdr)
-	if err != nil {
-		return "", "", "", err
+
+	for {
+		_, err := io.CopyN(&buffer, rdr, 1024)
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return "", "", "", err
+		}
 	}
+
 	var authnRequest saml.AuthnRequest
 	err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
 	if err != nil {
--- a/object/user_avatar_favicon.go
+++ b/object/user_avatar_favicon.go
@ -124,6 +124,7 @@ func chooseFaviconLinkBySizes(links []Link) *Link {
 	var chosenLink *Link

 	for _, link := range links {
+		link := link
 		if chosenLink == nil || compareSizes(link.Sizes, chosenLink.Sizes) > 0 {
 			chosenLink = &link
 		}
--- a/object/user_upload.go
+++ b/object/user_upload.go
@ -83,6 +83,7 @@ func UploadUsers(owner string, fileId string) (bool, error) {

 	newUsers := []*User{}
 	for index, line := range table {
+		line := line
 		if index == 0 || parseLineItem(&line, 0) == "" {
 			continue
 		}
--- a/routers/static_filter.go
+++ b/routers/static_filter.go
@ -19,6 +19,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"

@ -72,7 +73,7 @@ func StaticFilter(ctx *context.Context) {
 }

 func serveFileWithReplace(w http.ResponseWriter, r *http.Request, name string, old string, new string) {
-	f, err := os.Open(name)
+	f, err := os.Open(filepath.Clean(name))
 	if err != nil {
 		panic(err)
 	}
--- a/storage/local_file_system.go
+++ b/storage/local_file_system.go
@ -70,7 +70,7 @@ func (fileSystem FileSystem) Put(path string, reader io.Reader) (*oss.Object, er
 		return nil, err
 	}

-	dst, err := os.Create(fullPath)
+	dst, err := os.Create(filepath.Clean(fullPath))

 	if err == nil {
 		if seeker, ok := reader.(io.ReadSeeker); ok {
--- a/util/string.go
+++ b/util/string.go
@ -22,6 +22,7 @@ import (
 	"fmt"
 	"math/rand"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"time"
@ -201,7 +202,7 @@ func GetMinLenStr(strs ...string) string {
 }

 func ReadStringFromPath(path string) string {
-	data, err := os.ReadFile(path)
+	data, err := os.ReadFile(filepath.Clean(path))
 	if err != nil {
 		panic(err)
 	}
--- a/util/system.go
+++ b/util/system.go
@ -18,6 +18,7 @@ import (
 	"bufio"
 	"os"
 	"path"
+	"path/filepath"
 	"regexp"
 	"runtime"
 	"strconv"
@ -155,7 +156,7 @@ func GetVersionInfoFromFile() (*VersionInfo, error) {

 	_, filename, _, _ := runtime.Caller(0)
 	rootPath := path.Dir(path.Dir(filename))
-	file, err := os.Open(path.Join(rootPath, "version_info.txt"))
+	file, err := os.Open(filepath.Clean(path.Join(rootPath, "version_info.txt")))
 	if err != nil {
 		return res, err
 	}