feat: addressed security vulnerabilities and added fmt, linting

hokamsingh · Aug 30, 2024 · 02449f8 · 02449f8
1 parent 82c5abc
commit 02449f8
Show file tree

Hide file tree

Showing 8 changed files with 44 additions and 15 deletions.
diff --git a/.gitignore b/.gitignore
@@ -47,4 +47,7 @@ Thumbs.db
 Dockerfile
 docker-compose.yml
 
-.air.toml
+.air.toml
+
+#makefile
+Makefile
diff --git a/internal/core/context/context.go b/internal/core/context/context.go
@@ -120,7 +120,10 @@ func (c *Context) Error(status int, message string) {
 	}
 	c.Res.Header().Set("Content-Type", "application/json")
 	c.Res.WriteHeader(status)
-	json.NewEncoder(c.Res).Encode(map[string]string{"error": message})
+	err := json.NewEncoder(c.Res).Encode(map[string]string{"error": message})
+	if err != nil {
+		log.Fatal("can not encode json")
+	}
 	// Close the response after sending the error
 	c.responseSent = true
 	c.Res.(http.Flusher).Flush() // Ensures the data is sent to the client

diff --git a/internal/core/discovery/discover.go b/internal/core/discovery/discover.go
@@ -21,7 +21,7 @@ func DiscoverModules() ([]func() module.IModule, error) {
 	pluginDir := "app/plugins"
 
 	// Ensure the plugin directory exists
-	err := os.MkdirAll(pluginDir, os.ModePerm)
+	err := os.MkdirAll(pluginDir, 0750)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create plugins directory: %w", err)
 	}

diff --git a/internal/core/middleware/file_uploader.go b/internal/core/middleware/file_uploader.go
@@ -21,7 +21,7 @@ type FileUploadMiddleware struct {
 // NewFileUploadMiddleware creates a new instance of FileUploadMiddleware
 func NewFileUploadMiddleware(uploadDir string, maxFileSize int64, allowedExts []string) *FileUploadMiddleware {
 	// Ensure the upload directory exists
-	if err := os.MkdirAll(uploadDir, os.ModePerm); err != nil {
+	if err := os.MkdirAll(uploadDir, 0750); err != nil {
 		log.Fatalf("Failed to create upload directory: %v", err)
 	}
 
@@ -71,7 +71,14 @@ func (f *FileUploadMiddleware) Handle(next http.Handler) http.Handler {
 		filePath := filepath.Join(f.uploadDir, fileName)
 
 		// Create the file
-		destFile, err := os.Create(filePath)
+		cleanFilePath := filepath.Clean(filePath)
+		if !strings.HasPrefix(cleanFilePath, f.uploadDir) {
+			log.Panic("invalid file path")
+			log.Printf("Error creating file: %v", err)
+			return
+		}
+
+		destFile, err := os.Create(cleanFilePath)
 		if err != nil {
 			http.Error(w, "Unable to save file", http.StatusInternalServerError)
 			log.Printf("Error creating file: %v", err)

diff --git a/internal/core/router/router.go b/internal/core/router/router.go
@@ -343,7 +343,20 @@ func (r *Router) Start(addr string) error {
 	for _, m := range r.middleware {
 		finalHandler = m.Handle(finalHandler)
 	}
-	return http.ListenAndServe(addr, finalHandler)
+
+	server := &http.Server{
+		Addr:         addr,
+		Handler:      finalHandler,
+		ReadTimeout:  5 * time.Second,   // Defaults timeout
+		WriteTimeout: 10 * time.Second,  // Defaults timeout
+		IdleTimeout:  120 * time.Second, // Defaults timeout
+	}
+
+	err := server.ListenAndServe()
+	if err != nil {
+		log.Fatalf("Server failed: %v", err)
+	}
+	return err
 }
 
 // Start http server

diff --git a/internal/utils/utils.go b/internal/utils/utils.go
@@ -17,22 +17,23 @@ import (
 	"github.com/go-redis/redis/v8"
 )
 
-func GetFolderPath(folderName string) (string, error) {
+func GetFolderPath(folderName string) string {
 	// Get the current working directory
 	cwd, err := os.Getwd()
 	if err != nil {
-		return "", err
+		log.Panicf("Failed to get folder path: %v", err)
+		return ""
 	}
 
 	// Join the CWD with the folder name
 	folderPath := filepath.Join(cwd, folderName)
 
 	// Check if the folder exists
 	if _, err := os.Stat(folderPath); os.IsNotExist(err) {
-		return "", err
+		log.Panicf("folder does not exists: %v", err)
+		return ""
 	}
-
-	return folderPath, nil
+	return folderPath
 }
 
 // func RegisterModuleRoutes(container *di.Container, r *router.Router, _ interface{}) {

diff --git a/pkg/lessgo/less.go b/pkg/lessgo/less.go
@@ -1,6 +1,7 @@
 package LessGo
 
 import (
+	"log"
 	"time"
 
 	"github.com/go-redis/redis/v8"
@@ -327,7 +328,7 @@ func RegisterDependencies(dependencies []interface{}) {
 }
 
 // Resolves the path of specified folder
-func GetFolderPath(folderName string) (string, error) {
+func GetFolderPath(folderName string) string {
 	return utils.GetFolderPath(folderName)
 }
 
@@ -374,9 +375,10 @@ const (
 //	Gigabytes SizeUnit = "gigabytes"
 //
 // )
-func ConvertToBytes(size int64, unit SizeUnit) (int64, error) {
+func ConvertToBytes(size int64, unit SizeUnit) int64 {
 	s, err := utils.ConvertToBytes(float64(size), utils.SizeUnit(unit))
-	return int64(s), err
+	log.Printf("Failed to convert bytes: %v", err)
+	return int64(s)
 }
 
 func NewRedisClient(redisAddr string) *redis.Client {

diff --git a/tests/lessgo/framework_benchmark_test.go b/tests/lessgo/framework_benchmark_test.go
@@ -19,7 +19,7 @@ func BenchmarkHandler(b *testing.B) {
 		[]string{"Content-Type", "Authorization"},
 	)
 
-	size, _ := LessGo.ConvertToBytes(int64(1024), LessGo.Kilobytes)
+	size := LessGo.ConvertToBytes(int64(1024), LessGo.Kilobytes)
 	parserOptions := LessGo.NewParserOptions(size * 5)
 
 	rClient := LessGo.NewRedisClient("localhost:6379")