llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-08 00:50:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: Gosec/sec fixes (#2004)

Browse Source 
* Customization of the initialization file

* fix: G601 (CWE-118): Implicit memory aliasing in for loop

* fix: G304 (CWE-22): Potential file inclusion via variable

* fix: G110 (CWE-409): Potential DoS vulnerability via decompression bomb
This commit is contained in:
Alex OvsInc
2023-06-21 13:55:20 +03:00
committed by GitHub
parent d505a4bf2d
commit 6ebca6dbe7
11 changed files with 25 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
controllers/user_upload.go
View File

@ -19,13 +19,14 @@ import (
"io" "io"
"mime/multipart" "mime/multipart"
"os" "os"
"path/filepath"
"github.com/casdoor/casdoor/object" "github.com/casdoor/casdoor/object"
"github.com/casdoor/casdoor/util" "github.com/casdoor/casdoor/util"
) )
func saveFile(path string, file *multipart.File) (err error) { func saveFile(path string, file *multipart.File) (err error) {
f, err := os.Create(path) f, err := os.Create(filepath.Clean(path))
if err != nil { if err != nil {
return err return err
} }

3
deployment/deploy.go
View File

@ -17,6 +17,7 @@ package deployment
import ( import (
"fmt" "fmt"
"os" "os"
"path/filepath"
"strings" "strings"
"github.com/casdoor/casdoor/object" "github.com/casdoor/casdoor/object"
@ -45,7 +46,7 @@ func uploadFolder(storageProvider oss.StorageInterface, folder string) {
continue continue
} }
file, err := os.Open(path + filename) file, err := os.Open(filepath.Clean(path + filename))
if err != nil { if err != nil {
panic(err) panic(err)
} }

1
object/permission_upload.go
View File

@ -43,6 +43,7 @@ func UploadPermissions(owner string, fileId string) (bool, error) {
newPermissions := []*Permission{} newPermissions := []*Permission{}
for index, line := range table { for index, line := range table {
line := line
if index == 0 || parseLineItem(&line, 0) == "" { if index == 0 || parseLineItem(&line, 0) == "" {
continue continue
} }

1
object/role_upload.go
View File

@ -43,6 +43,7 @@ func UploadRoles(owner string, fileId string) (bool, error) {
newRoles := []*Role{} newRoles := []*Role{}
for index, line := range table { for index, line := range table {
line := line
if index == 0 || parseLineItem(&line, 0) == "" { if index == 0 || parseLineItem(&line, 0) == "" {
continue continue
} }

13
object/saml_idp.go
View File

@ -260,10 +260,17 @@ func GetSamlResponse(application *Application, user *User, samlRequest string, h
// decompress // decompress
var buffer bytes.Buffer var buffer bytes.Buffer
rdr := flate.NewReader(bytes.NewReader(defated)) rdr := flate.NewReader(bytes.NewReader(defated))
_, err = io.Copy(&buffer, rdr)
if err != nil { for {
return "", "", "", err _, err := io.CopyN(&buffer, rdr, 1024)
if err != nil {
if err == io.EOF {
break
}
return "", "", "", err
}
} }
var authnRequest saml.AuthnRequest var authnRequest saml.AuthnRequest
err = xml.Unmarshal(buffer.Bytes(), &authnRequest) err = xml.Unmarshal(buffer.Bytes(), &authnRequest)
if err != nil { if err != nil {

1
object/user_avatar_favicon.go
View File

@ -124,6 +124,7 @@ func chooseFaviconLinkBySizes(links []Link) *Link {
var chosenLink *Link var chosenLink *Link
for _, link := range links { for _, link := range links {
link := link
if chosenLink == nil || compareSizes(link.Sizes, chosenLink.Sizes) > 0 { if chosenLink == nil || compareSizes(link.Sizes, chosenLink.Sizes) > 0 {
chosenLink = &link chosenLink = &link
} }

1
object/user_upload.go
View File

@ -83,6 +83,7 @@ func UploadUsers(owner string, fileId string) (bool, error) {
newUsers := []*User{} newUsers := []*User{}
for index, line := range table { for index, line := range table {
line := line
if index == 0 || parseLineItem(&line, 0) == "" { if index == 0 || parseLineItem(&line, 0) == "" {
continue continue
} }

3
routers/static_filter.go
View File

@ -19,6 +19,7 @@ import (
"io" "io"
"net/http" "net/http"
"os" "os"
"path/filepath"
"strings" "strings"
"time" "time"
@ -72,7 +73,7 @@ func StaticFilter(ctx *context.Context) {
} }
func serveFileWithReplace(w http.ResponseWriter, r *http.Request, name string, old string, new string) { func serveFileWithReplace(w http.ResponseWriter, r *http.Request, name string, old string, new string) {
f, err := os.Open(name) f, err := os.Open(filepath.Clean(name))
if err != nil { if err != nil {
panic(err) panic(err)
} }

2
storage/local_file_system.go
View File

@ -70,7 +70,7 @@ func (fileSystem FileSystem) Put(path string, reader io.Reader) (*oss.Object, er
return nil, err return nil, err
} }
dst, err := os.Create(fullPath) dst, err := os.Create(filepath.Clean(fullPath))
if err == nil { if err == nil {
if seeker, ok := reader.(io.ReadSeeker); ok { if seeker, ok := reader.(io.ReadSeeker); ok {

3
util/string.go
View File

@ -22,6 +22,7 @@ import (
"fmt" "fmt"
"math/rand" "math/rand"
"os" "os"
"path/filepath"
"strconv" "strconv"
"strings" "strings"
"time" "time"
@ -201,7 +202,7 @@ func GetMinLenStr(strs ...string) string {
} }
func ReadStringFromPath(path string) string { func ReadStringFromPath(path string) string {
data, err := os.ReadFile(path) data, err := os.ReadFile(filepath.Clean(path))
if err != nil { if err != nil {
panic(err) panic(err)
} }

3
util/system.go
View File

@ -18,6 +18,7 @@ import (
"bufio" "bufio"
"os" "os"
"path" "path"
"path/filepath"
"regexp" "regexp"
"runtime" "runtime"
"strconv" "strconv"
@ -155,7 +156,7 @@ func GetVersionInfoFromFile() (*VersionInfo, error) {
_, filename, _, _ := runtime.Caller(0) _, filename, _, _ := runtime.Caller(0)
rootPath := path.Dir(path.Dir(filename)) rootPath := path.Dir(path.Dir(filename))
file, err := os.Open(path.Join(rootPath, "version_info.txt")) file, err := os.Open(filepath.Clean(path.Join(rootPath, "version_info.txt")))
if err != nil { if err != nil {
return res, err return res, err
} }