fix: handle codeql golang security issues

Signed-off-by: chlins <chenyuzh@vmware.com>
2024-06-23 05:15:06 +02:00 · 2021-10-22 09:58:55 +08:00 · 2021-10-22 09:58:55 +08:00 · 9e8218f63b
commit 9e8218f63b
parent bc6a7f65a6
5 changed files with 23 additions and 13 deletions
--- a/src/common/dao/pgsql.go
+++ b/src/common/dao/pgsql.go
@ -107,13 +107,13 @@ func (p *pgsql) Register(alias ...string) error {

 // UpgradeSchema calls migrate tool to upgrade schema to the latest based on the SQL scripts.
 func (p *pgsql) UpgradeSchema() error {
-	port, err := strconv.ParseInt(p.port, 10, 64)
+	port, err := strconv.Atoi(p.port)
 	if err != nil {
 		return err
 	}
 	m, err := NewMigrator(&models.PostGreSQL{
 		Host:     p.host,
-		Port:     int(port),
+		Port:     port,
 		Username: p.usr,
 		Password: p.pwd,
 		Database: p.database,
--- a/src/common/utils/encrypt.go
+++ b/src/common/utils/encrypt.go
@ -59,7 +59,14 @@ func ReversibleEncrypt(str, key string) (string, error) {
 	if block, err = aes.NewCipher(keyBytes); err != nil {
 		return "", err
 	}
-	cipherText := make([]byte, aes.BlockSize+len(str))
+
+	// ensures the value is no larger than 64 MB, which fits comfortably within an int and avoids the overflow
+	if len(str) > 64*1024*1024 {
+		return "", errors.New("str value too large")
+	}
+
+	size := aes.BlockSize + len(str)
+	cipherText := make([]byte, size)
 	iv := cipherText[:aes.BlockSize]
 	if _, err = io.ReadFull(rand.Reader, iv); err != nil {
 		return "", err
--- a/src/common/utils/utils.go
+++ b/src/common/utils/utils.go
@ -163,12 +163,9 @@ func ParseProjectIDOrName(value interface{}) (int64, string, error) {

 	var id int64
 	var name string
-	switch value.(type) {
-	case int:
-		i := value.(int)
-		id = int64(i)
-	case int64:
-		id = value.(int64)
+	switch v := value.(type) {
+	case int, int64:
+		id = reflect.ValueOf(v).Int()
 	case string:
 		name = value.(string)
 	default:
--- a/src/controller/robot/controller.go
+++ b/src/controller/robot/controller.go
@ -3,6 +3,9 @@ package robot
 import (
 	"context"
 	"fmt"
+	"strconv"
+	"time"
+
 	rbac_project "github.com/goharbor/harbor/src/common/rbac/project"
 	"github.com/goharbor/harbor/src/common/utils"
 	"github.com/goharbor/harbor/src/lib/config"
@ -15,7 +18,6 @@ import (
 	rbac_model "github.com/goharbor/harbor/src/pkg/rbac/model"
 	robot "github.com/goharbor/harbor/src/pkg/robot"
 	"github.com/goharbor/harbor/src/pkg/robot/model"
-	"time"
 )

 var (
@ -88,7 +90,12 @@ func (d *controller) Create(ctx context.Context, r *Robot) (int64, string, error
 		r.Duration = int64(config.RobotTokenDuration(ctx))
 		expiresAt = time.Now().AddDate(0, 0, config.RobotTokenDuration(ctx)).Unix()
 	} else {
-		expiresAt = time.Now().AddDate(0, 0, int(r.Duration)).Unix()
+		durationStr := strconv.FormatInt(r.Duration, 10)
+		duration, err := strconv.Atoi(durationStr)
+		if err != nil {
+			return 0, "", err
+		}
+		expiresAt = time.Now().AddDate(0, 0, duration).Unix()
 	}

 	pwd := utils.GenerateRandomString()
--- a/src/pkg/reg/adapter/jfrog/adapter.go
+++ b/src/pkg/reg/adapter/jfrog/adapter.go
@ -20,7 +20,6 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
-	"strconv"
 	"strings"

 	"github.com/goharbor/harbor/src/pkg/registry/auth/basic"
@ -289,7 +288,7 @@ func (a *adapter) PushBlob(repository, digest string, size int64, blob io.Reader
 	if err != nil {
 		return err
 	}
-	rangeSize := strconv.Itoa(int(size))
+	rangeSize := fmt.Sprintf("%d", size)
 	req.Header.Set("Content-Length", rangeSize)
 	req.Header.Set("Content-Range", fmt.Sprintf("0-%s", rangeSize))
 	req.Header.Set("Content-Type", "application/octet-stream")