From e8f965e98079ddba47404c8fd06b0fbd1dc57f3e Mon Sep 17 00:00:00 2001 From: Aaron Liu Date: Wed, 14 Jan 2026 12:39:42 +0800 Subject: [PATCH] fix(security): resolve multiple vulnerability. Vulnerability identified and fix provided by Kolega.dev (https://kolega.dev) --- inventory/client.go | 2 +- inventory/user.go | 2 +- pkg/auth/hmac.go | 3 ++- pkg/filemanager/manager/upload.go | 2 +- pkg/util/common.go | 16 ++++++++++++++++ 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/inventory/client.go b/inventory/client.go index 7f342abb..2a1ac1f4 100644 --- a/inventory/client.go +++ b/inventory/client.go @@ -67,7 +67,7 @@ func NewRawEntClient(l logging.Logger, config conf.ConfigProvider) (*ent.Client, } // If Database connection string provided, use it directly. if dbConfig.DatabaseURL != "" { - l.Info("Connect to database with connection string %q.", dbConfig.DatabaseURL) + l.Info("Connect to database with connection string") client, err = sql.Open(string(confDBType), dbConfig.DatabaseURL) } else { diff --git a/inventory/user.go b/inventory/user.go index f394050a..569c579d 100644 --- a/inventory/user.go +++ b/inventory/user.go @@ -600,7 +600,7 @@ func withUserEagerLoading(ctx context.Context, q *ent.UserQuery) *ent.UserQuery func digestPassword(password string) (string, error) { //生成16位 Salt - salt := util.RandStringRunes(16) + salt := util.RandStringRunesCrypto(32) //计算 Salt 和密码组合的SHA1摘要 hash := sha256.New() diff --git a/pkg/auth/hmac.go b/pkg/auth/hmac.go index 2654249b..45551c54 100644 --- a/pkg/auth/hmac.go +++ b/pkg/auth/hmac.go @@ -3,6 +3,7 @@ package auth import ( "crypto/hmac" "crypto/sha256" + "crypto/subtle" "encoding/base64" "io" "strconv" @@ -49,7 +50,7 @@ func (auth HMACAuth) Check(body string, sign string) error { } // 验证签名 - if auth.Sign(body, expires) != sign { + if subtle.ConstantTimeCompare([]byte(auth.Sign(body, expires)), []byte(sign)) != 1 { return serializer.NewError(serializer.CodeInvalidSign, "invalid sign", nil) } return nil diff --git a/pkg/filemanager/manager/upload.go b/pkg/filemanager/manager/upload.go index 7cd68fbc..ba578b06 100644 --- a/pkg/filemanager/manager/upload.go +++ b/pkg/filemanager/manager/upload.go @@ -154,7 +154,7 @@ func (m *manager) ConfirmUploadSession(ctx context.Context, session *fs.UploadSe } // Confirm locks on placeholder file - if session.LockToken == "" { + if session.LockToken != "" { release, ls, err := m.fs.ConfirmLock(ctx, file, file.Uri(false), session.LockToken) if err != nil { return nil, fs.ErrLockExpired.WithError(err) diff --git a/pkg/util/common.go b/pkg/util/common.go index abac9d3a..1b5aa0c4 100644 --- a/pkg/util/common.go +++ b/pkg/util/common.go @@ -2,7 +2,9 @@ package util import ( "context" + cryptoRand "crypto/rand" "fmt" + "math/big" "math/rand" "path" "path/filepath" @@ -34,6 +36,20 @@ func RandStringRunes(n int) string { return string(b) } +func RandStringRunesCrypto(n int) string { + b := make([]rune, n) + for i := range b { + num, err := cryptoRand.Int(cryptoRand.Reader, big.NewInt(int64(len(RandomVariantAll)))) + if err != nil { + // fallback to math/rand on crypto failure + b[i] = RandomVariantAll[rand.Intn(len(RandomVariantAll))] + } else { + b[i] = RandomVariantAll[num.Int64()] + } + } + return string(b) +} + // RandString returns random string in given length and variant func RandString(n int, variant []rune) string { b := make([]rune, n)