fix: Gosec/sec fixes (#2004)

* Customization of the initialization file * fix: G601 (CWE-118): Implicit memory aliasing in for loop * fix: G304 (CWE-22): Potential file inclusion via variable * fix: G110 (CWE-409): Potential DoS vulnerability via decompression bomb
2025-07-03 04:10:20 +08:00 · 2023-06-21 13:55:20 +03:00
parent d505a4bf2d
commit 6ebca6dbe7
11 changed files with 25 additions and 9 deletions
--- a/object/saml_idp.go
+++ b/object/saml_idp.go
@ -260,10 +260,17 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
 	// decompress
 	var buffer bytes.Buffer
 	rdr := flate.NewReader(bytes.NewReader(defated))
-	_, err = io.Copy(&buffer, rdr)
-	if err != nil {
-		return "", "", "", err
+
+	for {
+		_, err := io.CopyN(&buffer, rdr, 1024)
+		if err != nil {
+			if err == io.EOF {
+				break
+			}
+			return "", "", "", err
+		}
 	}
+
 	var authnRequest saml.AuthnRequest
 	err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
 	if err != nil {