From 9e8218f63bd927cd3bdf502e77e1bbcbac6bd108 Mon Sep 17 00:00:00 2001 From: chlins Date: Fri, 22 Oct 2021 09:58:55 +0800 Subject: [PATCH] fix: handle codeql golang security issues Signed-off-by: chlins --- src/common/dao/pgsql.go | 4 ++-- src/common/utils/encrypt.go | 9 ++++++++- src/common/utils/utils.go | 9 +++------ src/controller/robot/controller.go | 11 +++++++++-- src/pkg/reg/adapter/jfrog/adapter.go | 3 +-- 5 files changed, 23 insertions(+), 13 deletions(-) diff --git a/src/common/dao/pgsql.go b/src/common/dao/pgsql.go index 1134032bf..e7293ffdb 100644 --- a/src/common/dao/pgsql.go +++ b/src/common/dao/pgsql.go @@ -107,13 +107,13 @@ func (p *pgsql) Register(alias ...string) error { // UpgradeSchema calls migrate tool to upgrade schema to the latest based on the SQL scripts. func (p *pgsql) UpgradeSchema() error { - port, err := strconv.ParseInt(p.port, 10, 64) + port, err := strconv.Atoi(p.port) if err != nil { return err } m, err := NewMigrator(&models.PostGreSQL{ Host: p.host, - Port: int(port), + Port: port, Username: p.usr, Password: p.pwd, Database: p.database, diff --git a/src/common/utils/encrypt.go b/src/common/utils/encrypt.go index e68da9430..73a7cbec6 100644 --- a/src/common/utils/encrypt.go +++ b/src/common/utils/encrypt.go @@ -59,7 +59,14 @@ func ReversibleEncrypt(str, key string) (string, error) { if block, err = aes.NewCipher(keyBytes); err != nil { return "", err } - cipherText := make([]byte, aes.BlockSize+len(str)) + + // ensures the value is no larger than 64 MB, which fits comfortably within an int and avoids the overflow + if len(str) > 64*1024*1024 { + return "", errors.New("str value too large") + } + + size := aes.BlockSize + len(str) + cipherText := make([]byte, size) iv := cipherText[:aes.BlockSize] if _, err = io.ReadFull(rand.Reader, iv); err != nil { return "", err diff --git a/src/common/utils/utils.go b/src/common/utils/utils.go index 2ea6927d6..954b0adbb 100644 --- a/src/common/utils/utils.go +++ b/src/common/utils/utils.go @@ -163,12 +163,9 @@ func ParseProjectIDOrName(value interface{}) (int64, string, error) { var id int64 var name string - switch value.(type) { - case int: - i := value.(int) - id = int64(i) - case int64: - id = value.(int64) + switch v := value.(type) { + case int, int64: + id = reflect.ValueOf(v).Int() case string: name = value.(string) default: diff --git a/src/controller/robot/controller.go b/src/controller/robot/controller.go index 930d73325..81503e966 100644 --- a/src/controller/robot/controller.go +++ b/src/controller/robot/controller.go @@ -3,6 +3,9 @@ package robot import ( "context" "fmt" + "strconv" + "time" + rbac_project "github.com/goharbor/harbor/src/common/rbac/project" "github.com/goharbor/harbor/src/common/utils" "github.com/goharbor/harbor/src/lib/config" @@ -15,7 +18,6 @@ import ( rbac_model "github.com/goharbor/harbor/src/pkg/rbac/model" robot "github.com/goharbor/harbor/src/pkg/robot" "github.com/goharbor/harbor/src/pkg/robot/model" - "time" ) var ( @@ -88,7 +90,12 @@ func (d *controller) Create(ctx context.Context, r *Robot) (int64, string, error r.Duration = int64(config.RobotTokenDuration(ctx)) expiresAt = time.Now().AddDate(0, 0, config.RobotTokenDuration(ctx)).Unix() } else { - expiresAt = time.Now().AddDate(0, 0, int(r.Duration)).Unix() + durationStr := strconv.FormatInt(r.Duration, 10) + duration, err := strconv.Atoi(durationStr) + if err != nil { + return 0, "", err + } + expiresAt = time.Now().AddDate(0, 0, duration).Unix() } pwd := utils.GenerateRandomString() diff --git a/src/pkg/reg/adapter/jfrog/adapter.go b/src/pkg/reg/adapter/jfrog/adapter.go index 379fd93c8..0db0eee22 100644 --- a/src/pkg/reg/adapter/jfrog/adapter.go +++ b/src/pkg/reg/adapter/jfrog/adapter.go @@ -20,7 +20,6 @@ import ( "io" "io/ioutil" "net/http" - "strconv" "strings" "github.com/goharbor/harbor/src/pkg/registry/auth/basic" @@ -289,7 +288,7 @@ func (a *adapter) PushBlob(repository, digest string, size int64, blob io.Reader if err != nil { return err } - rangeSize := strconv.Itoa(int(size)) + rangeSize := fmt.Sprintf("%d", size) req.Header.Set("Content-Length", rangeSize) req.Header.Set("Content-Range", fmt.Sprintf("0-%s", rangeSize)) req.Header.Set("Content-Type", "application/octet-stream")