mirrors/gitea
1
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2025-10-14 04:36:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Address some CodeQL security concerns (#35572)

Browse Source 
Although there is no real security problem
This commit is contained in:
wxiaoguang
2025-10-04 01:21:26 +08:00
committed by GitHub
parent c4532101a4
commit 71360a94cb
35 changed files with 118 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
services/context/access_log.go
View File

@@ -10,6 +10,7 @@ import (
"strings"
"text/template"
"time"
"unicode"
user_model "code.gitea.io/gitea/models/user"
"code.gitea.io/gitea/modules/log"
@@ -37,6 +38,16 @@ const keyOfRequestIDInTemplate = ".RequestID"
// So, we accept a Request ID with a maximum character length of 40
const maxRequestIDByteLength = 40
func isSafeRequestID(id string) bool {
for _, r := range id {
safe := unicode.IsPrint(r)
if !safe {
return false
}
}
return true
}
func parseRequestIDFromRequestHeader(req *http.Request) string {
requestID := "-"
for _, key := range setting.Log.RequestIDHeaders {
@@ -45,6 +56,9 @@ func parseRequestIDFromRequestHeader(req *http.Request) string {
break
}
}
if !isSafeRequestID(requestID) {
return "-"
}
if len(requestID) > maxRequestIDByteLength {
requestID = requestID[:maxRequestIDByteLength] + "..."
}