loading up the forgejo repo on tangled to test page performance
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Handle base64 decoding correctly to avoid panic (#26483)

Fix the panic if the "base64 secret" is too long.

authored by

wxiaoguang and committed by
GitHub
ed1be4ca cafce3b4

+43 -30
+2 -2
cmd/generate.go
··· 70 70 } 71 71 72 72 func runGenerateLfsJwtSecret(c *cli.Context) error { 73 - JWTSecretBase64, err := generate.NewJwtSecretBase64() 73 + _, jwtSecretBase64, err := generate.NewJwtSecretBase64() 74 74 if err != nil { 75 75 return err 76 76 } 77 77 78 - fmt.Printf("%s", JWTSecretBase64) 78 + fmt.Printf("%s", jwtSecretBase64) 79 79 80 80 if isatty.IsTerminal(os.Stdout.Fd()) { 81 81 fmt.Printf("\n")
+3 -3
modules/generate/generate.go
··· 49 49 } 50 50 51 51 // NewJwtSecretBase64 generates a new base64 encoded value intended to be used for JWT secrets. 52 - func NewJwtSecretBase64() (string, error) { 52 + func NewJwtSecretBase64() ([]byte, string, error) { 53 53 bytes, err := NewJwtSecret() 54 54 if err != nil { 55 - return "", err 55 + return nil, "", err 56 56 } 57 - return base64.RawURLEncoding.EncodeToString(bytes), nil 57 + return bytes, base64.RawURLEncoding.EncodeToString(bytes), nil 58 58 } 59 59 60 60 // NewSecretKey generate a new value intended to be used by SECRET_KEY.
+5 -7
modules/setting/lfs.go
··· 9 9 "time" 10 10 11 11 "code.gitea.io/gitea/modules/generate" 12 + "code.gitea.io/gitea/modules/util" 12 13 ) 13 14 14 15 // LFS represents the configuration for Git LFS ··· 56 57 57 58 LFS.HTTPAuthExpiry = sec.Key("LFS_HTTP_AUTH_EXPIRY").MustDuration(24 * time.Hour) 58 59 59 - if !LFS.StartServer { 60 + if !LFS.StartServer || !InstallLock { 60 61 return nil 61 62 } 62 63 63 64 LFS.JWTSecretBase64 = loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET") 64 - 65 - LFS.JWTSecretBytes = make([]byte, 32) 66 - n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64)) 67 - 68 - if (err != nil || n != 32) && InstallLock { 69 - LFS.JWTSecretBase64, err = generate.NewJwtSecretBase64() 65 + LFS.JWTSecretBytes, err = util.Base64FixedDecode(base64.RawURLEncoding, []byte(LFS.JWTSecretBase64), 32) 66 + if err != nil { 67 + LFS.JWTSecretBytes, LFS.JWTSecretBase64, err = generate.NewJwtSecretBase64() 70 68 if err != nil { 71 69 return fmt.Errorf("error generating JWT Secret for custom config: %v", err) 72 70 }
+6 -7
modules/setting/oauth2.go
··· 10 10 11 11 "code.gitea.io/gitea/modules/generate" 12 12 "code.gitea.io/gitea/modules/log" 13 + "code.gitea.io/gitea/modules/util" 13 14 ) 14 15 15 16 // OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data ··· 129 130 } 130 131 131 132 if InstallLock { 132 - key := make([]byte, 32) 133 - n, err := base64.RawURLEncoding.Decode(key, []byte(OAuth2.JWTSecretBase64)) 134 - if err != nil || n != 32 { 135 - key, err = generate.NewJwtSecret() 133 + if _, err := util.Base64FixedDecode(base64.RawURLEncoding, []byte(OAuth2.JWTSecretBase64), 32); err != nil { 134 + key, err := generate.NewJwtSecret() 136 135 if err != nil { 137 136 log.Fatal("error generating JWT secret: %v", err) 138 137 } 139 138 140 - secretBase64 := base64.RawURLEncoding.EncodeToString(key) 139 + OAuth2.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(key) 141 140 saveCfg, err := rootCfg.PrepareSaving() 142 141 if err != nil { 143 142 log.Fatal("save oauth2.JWT_SECRET failed: %v", err) 144 143 } 145 - rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64) 146 - saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64) 144 + rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64) 145 + saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64) 147 146 if err := saveCfg.Save(); err != nil { 148 147 log.Fatal("save oauth2.JWT_SECRET failed: %v", err) 149 148 }
+11
modules/util/util.go
··· 6 6 import ( 7 7 "bytes" 8 8 "crypto/rand" 9 + "encoding/base64" 9 10 "fmt" 10 11 "math/big" 11 12 "strconv" ··· 261 262 func ToPointer[T any](val T) *T { 262 263 return &val 263 264 } 265 + 266 + func Base64FixedDecode(encoding *base64.Encoding, src []byte, length int) ([]byte, error) { 267 + decoded := make([]byte, encoding.DecodedLen(len(src))+3) 268 + if n, err := encoding.Decode(decoded, src); err != nil { 269 + return nil, err 270 + } else if n != length { 271 + return nil, fmt.Errorf("invalid base64 decoded length: %d, expects: %d", n, length) 272 + } 273 + return decoded[:length], nil 274 + }
+14
modules/util/util_test.go
··· 4 4 package util 5 5 6 6 import ( 7 + "encoding/base64" 7 8 "regexp" 8 9 "strings" 9 10 "testing" ··· 233 234 val123 := 123 234 235 assert.False(t, &val123 == ToPointer(val123)) 235 236 } 237 + 238 + func TestBase64FixedDecode(t *testing.T) { 239 + _, err := Base64FixedDecode(base64.RawURLEncoding, []byte("abcd"), 32) 240 + assert.ErrorContains(t, err, "invalid base64 decoded length") 241 + _, err = Base64FixedDecode(base64.RawURLEncoding, []byte(strings.Repeat("a", 64)), 32) 242 + assert.ErrorContains(t, err, "invalid base64 decoded length") 243 + 244 + str32 := strings.Repeat("x", 32) 245 + encoded32 := base64.RawURLEncoding.EncodeToString([]byte(str32)) 246 + decoded32, err := Base64FixedDecode(base64.RawURLEncoding, []byte(encoded32), 32) 247 + assert.NoError(t, err) 248 + assert.Equal(t, str32, string(decoded32)) 249 + }
+1 -1
routers/install/install.go
··· 415 415 cfg.Section("server").Key("LFS_START_SERVER").SetValue("true") 416 416 cfg.Section("lfs").Key("PATH").SetValue(form.LFSRootPath) 417 417 var lfsJwtSecret string 418 - if lfsJwtSecret, err = generate.NewJwtSecretBase64(); err != nil { 418 + if _, lfsJwtSecret, err = generate.NewJwtSecretBase64(); err != nil { 419 419 ctx.RenderWithErr(ctx.Tr("install.lfs_jwt_secret_failed", err), tplInstall, &form) 420 420 return 421 421 }
+1 -10
services/auth/source/oauth2/jwtsigningkey.go
··· 336 336 // loadSymmetricKey checks if the configured secret is valid. 337 337 // If it is not valid, it will return an error. 338 338 func loadSymmetricKey() (any, error) { 339 - key := make([]byte, 32) 340 - n, err := base64.RawURLEncoding.Decode(key, []byte(setting.OAuth2.JWTSecretBase64)) 341 - if err != nil { 342 - return nil, err 343 - } 344 - if n != 32 { 345 - return nil, fmt.Errorf("JWT secret must be 32 bytes long") 346 - } 347 - 348 - return key, nil 339 + return util.Base64FixedDecode(base64.RawURLEncoding, []byte(setting.OAuth2.JWTSecretBase64), 32) 349 340 } 350 341 351 342 // loadOrCreateAsymmetricKey checks if the configured private key exists.