mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-03-29 13:03:04 -04:00
f93d2cb261
One of the security patches released 2026-03-09 [fixed a vulnerability](d1c7b04d09) caused by a misapplication of Go `case` statements, where the implementation would have been correct if Go `case` statements automatically fall through to the next case block, but they do not. This PR adds a semgrep rule which detects any empty `case` statement and raises an error, in order to prevent this coding mistake in the future.
For example, code like this will now trigger a build error:
```go
switch setting.Protocol {
case setting.HTTPUnix:
case setting.FCGI:
case setting.FCGIUnix:
default:
defaultLocalURL := string(setting.Protocol) + "://"
}
```
Example error:
```
cmd/web.go
❯❯❱ semgrep.config.forgejo-switch-empty-case
switch has a case block with no content. This is treated as "break" by Go, but developers may
confuse it for "fallthrough". To fix this error, disambiguate by using "break" or
"fallthrough".
279┆ switch setting.Protocol {
280┆ case setting.HTTPUnix:
281┆ case setting.FCGI:
282┆ case setting.FCGIUnix:
283┆ default:
284┆ defaultLocalURL := string(setting.Protocol) + "://"
285┆ if setting.HTTPAddr == "0.0.0.0" {
286┆ defaultLocalURL += "localhost"
287┆ } else {
288┆ defaultLocalURL += setting.HTTPAddr
```
As described in the error output, this error can be fixed by explicitly listing `break` (the real Go behaviour, to do nothing in the block), or by listing `fallthrough` (if the intent was to fall through).
All existing code triggering this detection has been changed to `break` (or, rarely, irrelevant cases have been removed), which should maintain the same code functionality. While performing this fixup, a light analysis was performed on each case and they *appeared* correct, but with ~65 cases I haven't gone into extreme depth.
Tests are present for the semgrep rule in `.semgrep/tests/go.go`.
## Checklist
The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
### Documentation
- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
- [x] I did not document these changes and I do not expect someone else to do it.
### Release notes
- [ ] This change will be noticed by a Forgejo user or admin (feature, bug fix, performance, etc.). I suggest to include a release note for this change.
- [x] This change is not visible to a Forgejo user or admin (refactor, dependency upgrade, etc.). I think there is no need to add a release note for this change.
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/11593
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net>
Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
204 lines
5.7 KiB
Go
204 lines
5.7 KiB
Go
// Copyright 2021 The Gitea Authors.
|
|
// All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package pull
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"strconv"
|
|
"strings"
|
|
|
|
"forgejo.org/modules/git"
|
|
"forgejo.org/modules/log"
|
|
)
|
|
|
|
// lsFileLine is a Quadruplet struct (+error) representing a partially parsed line from ls-files
|
|
type lsFileLine struct {
|
|
mode string
|
|
sha string
|
|
stage int
|
|
path string
|
|
err error
|
|
}
|
|
|
|
// SameAs checks if two lsFileLines are referring to the same path, sha and mode (ignoring stage)
|
|
func (line *lsFileLine) SameAs(other *lsFileLine) bool {
|
|
if line == nil || other == nil {
|
|
return false
|
|
}
|
|
|
|
if line.err != nil || other.err != nil {
|
|
return false
|
|
}
|
|
|
|
return line.mode == other.mode &&
|
|
line.sha == other.sha &&
|
|
line.path == other.path
|
|
}
|
|
|
|
// String provides a string representation for logging
|
|
func (line *lsFileLine) String() string {
|
|
if line == nil {
|
|
return "<nil>"
|
|
}
|
|
if line.err != nil {
|
|
return fmt.Sprintf("%d %s %s %s %v", line.stage, line.mode, line.path, line.sha, line.err)
|
|
}
|
|
return fmt.Sprintf("%d %s %s %s", line.stage, line.mode, line.path, line.sha)
|
|
}
|
|
|
|
// readUnmergedLsFileLines calls git ls-files -u -z and parses the lines into mode-sha-stage-path quadruplets
|
|
// it will push these to the provided channel closing it at the end
|
|
func readUnmergedLsFileLines(ctx context.Context, tmpBasePath string, outputChan chan *lsFileLine) {
|
|
defer func() {
|
|
// Always close the outputChan at the end of this function
|
|
close(outputChan)
|
|
}()
|
|
|
|
lsFilesReader, lsFilesWriter, err := os.Pipe()
|
|
if err != nil {
|
|
log.Error("Unable to open stderr pipe: %v", err)
|
|
outputChan <- &lsFileLine{err: fmt.Errorf("unable to open stderr pipe: %w", err)}
|
|
return
|
|
}
|
|
defer func() {
|
|
_ = lsFilesWriter.Close()
|
|
_ = lsFilesReader.Close()
|
|
}()
|
|
|
|
stderr := &strings.Builder{}
|
|
err = git.NewCommand(ctx, "ls-files", "-u", "-z").
|
|
Run(&git.RunOpts{
|
|
Dir: tmpBasePath,
|
|
Stdout: lsFilesWriter,
|
|
Stderr: stderr,
|
|
PipelineFunc: func(_ context.Context, _ context.CancelFunc) error {
|
|
_ = lsFilesWriter.Close()
|
|
defer func() {
|
|
_ = lsFilesReader.Close()
|
|
}()
|
|
bufferedReader := bufio.NewReader(lsFilesReader)
|
|
|
|
for {
|
|
line, err := bufferedReader.ReadString('\000')
|
|
if err != nil {
|
|
if err == io.EOF {
|
|
return nil
|
|
}
|
|
return err
|
|
}
|
|
toemit := &lsFileLine{}
|
|
|
|
split := strings.SplitN(line, " ", 3)
|
|
if len(split) < 3 {
|
|
return fmt.Errorf("malformed line: %s", line)
|
|
}
|
|
toemit.mode = split[0]
|
|
toemit.sha = split[1]
|
|
|
|
if len(split[2]) < 4 {
|
|
return fmt.Errorf("malformed line: %s", line)
|
|
}
|
|
|
|
toemit.stage, err = strconv.Atoi(split[2][0:1])
|
|
if err != nil {
|
|
return fmt.Errorf("malformed line: %s", line)
|
|
}
|
|
|
|
toemit.path = split[2][2 : len(split[2])-1]
|
|
outputChan <- toemit
|
|
}
|
|
},
|
|
})
|
|
if err != nil {
|
|
outputChan <- &lsFileLine{err: fmt.Errorf("git ls-files -u -z: %w", git.ConcatenateError(err, stderr.String()))}
|
|
}
|
|
}
|
|
|
|
// unmergedFile is triple (+error) of lsFileLines split into stages 1,2 & 3.
|
|
type unmergedFile struct {
|
|
stage1 *lsFileLine
|
|
stage2 *lsFileLine
|
|
stage3 *lsFileLine
|
|
err error
|
|
}
|
|
|
|
// String provides a string representation of the an unmerged file for logging
|
|
func (u *unmergedFile) String() string {
|
|
if u == nil {
|
|
return "<nil>"
|
|
}
|
|
if u.err != nil {
|
|
return fmt.Sprintf("error: %v\n%v\n%v\n%v", u.err, u.stage1, u.stage2, u.stage3)
|
|
}
|
|
return fmt.Sprintf("%v\n%v\n%v", u.stage1, u.stage2, u.stage3)
|
|
}
|
|
|
|
// unmergedFiles will collate the output from readUnstagedLsFileLines in to file triplets and send them
|
|
// to the provided channel, closing at the end.
|
|
func unmergedFiles(ctx context.Context, tmpBasePath string, unmerged chan *unmergedFile) {
|
|
defer func() {
|
|
// Always close the channel
|
|
close(unmerged)
|
|
}()
|
|
|
|
ctx, cancel := context.WithCancel(ctx)
|
|
lsFileLineChan := make(chan *lsFileLine, 10) // give lsFileLineChan a buffer
|
|
go readUnmergedLsFileLines(ctx, tmpBasePath, lsFileLineChan)
|
|
defer func() {
|
|
cancel()
|
|
for range lsFileLineChan {
|
|
// empty channel
|
|
}
|
|
}()
|
|
|
|
next := &unmergedFile{}
|
|
for line := range lsFileLineChan {
|
|
log.Trace("Got line: %v Current State:\n%v", line, next)
|
|
if line.err != nil {
|
|
log.Error("Unable to run ls-files -u -z! Error: %v", line.err)
|
|
unmerged <- &unmergedFile{err: fmt.Errorf("unable to run ls-files -u -z! Error: %w", line.err)}
|
|
return
|
|
}
|
|
|
|
// stages are always emitted 1,2,3 but sometimes 1, 2 or 3 are dropped
|
|
switch line.stage {
|
|
case 0:
|
|
// Should not happen as this represents successfully merged file - we will tolerate and ignore though
|
|
break
|
|
case 1:
|
|
if next.stage1 != nil || next.stage2 != nil || next.stage3 != nil {
|
|
// We need to handle the unstaged file stage1,stage2,stage3
|
|
unmerged <- next
|
|
}
|
|
next = &unmergedFile{stage1: line}
|
|
case 2:
|
|
if next.stage3 != nil || next.stage2 != nil || (next.stage1 != nil && next.stage1.path != line.path) {
|
|
// We need to handle the unstaged file stage1,stage2,stage3
|
|
unmerged <- next
|
|
next = &unmergedFile{}
|
|
}
|
|
next.stage2 = line
|
|
case 3:
|
|
if next.stage3 != nil || (next.stage1 != nil && next.stage1.path != line.path) || (next.stage2 != nil && next.stage2.path != line.path) {
|
|
// We need to handle the unstaged file stage1,stage2,stage3
|
|
unmerged <- next
|
|
next = &unmergedFile{}
|
|
}
|
|
next.stage3 = line
|
|
default:
|
|
log.Error("Unexpected stage %d for path %s in run ls-files -u -z!", line.stage, line.path)
|
|
unmerged <- &unmergedFile{err: fmt.Errorf("unexpected stage %d for path %s in git ls-files -u -z", line.stage, line.path)}
|
|
return
|
|
}
|
|
}
|
|
// We need to handle the unstaged file stage1,stage2,stage3
|
|
if next.stage1 != nil || next.stage2 != nil || next.stage3 != nil {
|
|
unmerged <- next
|
|
}
|
|
}
|