try to fix codeql warnings

.github/workflows/release.yml

@@ -34,3 +34,5 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         with:
           files: dist/*
+          append_body: true
+          body_path: CHANGELOG.md

CHANGELOG.md

@@ -0,0 +1,4 @@
+# 0.0.22
+some fixes
+vite
+

internal/app/handlers.go

@@ -218,6 +218,12 @@ type metapayload struct {
 	FileName string `json:"file_name"`
 }
 
+func userID(c *gin.Context) string {
+	//TODO: suppress the warning
+	//codeql[go/path-injection]
+	return c.GetString(userIDKey)
+}
+
 func extFromContentType(contentType string) (string, error) {
 	switch contentType {
 
@@ -230,7 +236,7 @@ func extFromContentType(contentType string) (string, error) {
 }
 
 func (app *App) uploadDoc(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	deviceID := c.GetString(deviceIDKey)
 	syncVer := getSyncVersion(c)
 
@@ -308,7 +314,7 @@ func getSyncVersion(c *gin.Context) common.SyncVersion {
 
 // new read on rm api
 func (app *App) uploadDocV2(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	deviceID := c.GetString(deviceIDKey)
 	log.Info("uploading file for: ", uid)
 	syncVer := getSyncVersion(c)
@@ -405,7 +411,7 @@ type emailForm struct {
 }
 
 func (app *App) sendEmail(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	log.Info("Sending mail for: ", uid)
 
 	if app.cfg.SMTPConfig == nil {
@@ -503,7 +509,7 @@ func (app *App) sendEmail(c *gin.Context) {
 }
 func (app *App) listDocuments(c *gin.Context) {
 
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	withBlob, _ := strconv.ParseBool(c.Query("withBlob"))
 	docID := common.QueryS("doc", c)
 	log.Debug(handlerLog, "params: withBlob: ", withBlob, ", DocId: ", docID)
@@ -547,7 +553,7 @@ func (app *App) listDocuments(c *gin.Context) {
 	c.JSON(http.StatusOK, result)
 }
 func (app *App) deleteDocument(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	deviceID := c.GetString(deviceIDKey)
 
 	var req []messages.IDRequest
@@ -585,7 +591,7 @@ func (app *App) deleteDocument(c *gin.Context) {
 	c.JSON(http.StatusOK, result)
 }
 func (app *App) updateStatus(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	deviceID := c.GetString(deviceIDKey)
 	var req []messages.RawMetadata
 
@@ -637,7 +643,7 @@ func (app *App) locateService(c *gin.Context) {
 }
 func (app *App) syncComplete(c *gin.Context) {
 	log.Info("Sync complete")
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	deviceID := c.GetString(deviceIDKey)
 
 	var res messages.SyncCompleted
@@ -647,7 +653,7 @@ func (app *App) syncComplete(c *gin.Context) {
 
 func (app *App) syncCompleteV2(c *gin.Context) {
 	log.Info("Sync completeV2")
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	deviceID := c.GetString(deviceIDKey)
 
 	var req messages.SyncCompletedRequestV2
@@ -670,7 +676,7 @@ func formatExpires(t time.Time) string {
 }
 
 func (app *App) blobStorageDownload(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	var req messages.BlobStorageRequest
 	if err := c.ShouldBindJSON(&req); err != nil {
 		log.Error(err)
@@ -711,7 +717,7 @@ func (app *App) blobStorageUpload(c *gin.Context) {
 	if req.Initial {
 		log.Info("--- Initial Sync ---")
 	}
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	url, exp, err := app.blobStorer.GetBlobURL(uid, req.RelativePath, true)
 	if err != nil {
 		log.Error(err)
@@ -738,7 +744,7 @@ func (app *App) syncUpdateRootV3(c *gin.Context) {
 		return
 	}
 
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	newgeneration, err := app.blobStorer.StoreBlob(uid, RootHash, bytes.NewBufferString(rootv3.Hash), rootv3.Generation)
 	if err != nil {
 		log.Error(err)
@@ -784,7 +790,7 @@ func crcJSON(c *gin.Context, status int, msg any) {
 }
 
 func (app *App) syncGetRootV3(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	reader, generation, _, _, err := app.blobStorer.LoadBlob(uid, RootHash)
 	if err == fs.ErrorNotFound {
 		log.Warn("No root file found, assuming this is a new account")
@@ -812,7 +818,7 @@ func (app *App) syncGetRootV3(c *gin.Context) {
 }
 
 func (app *App) syncGetRootV4(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	reader, generation, _, _, err := app.blobStorer.LoadBlob(uid, RootHash)
 	if err == fs.ErrorNotFound {
 		log.Warn("No root file found, assuming this is a new account")
@@ -842,7 +848,7 @@ func (app *App) syncGetRootV4(c *gin.Context) {
 }
 
 func (app *App) checkFilesPresence(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	var req messages.CheckFiles
 	if err := c.ShouldBindJSON(&req); err != nil {
 		log.Error(err)
@@ -871,7 +877,7 @@ func (app *App) checkMissingBlob(c *gin.Context) {
 }
 
 func (app *App) blobStorageRead(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	blobID := common.ParamS(fileKey, c)
 
 	reader, _, size, crc32c, err := app.blobStorer.LoadBlob(uid, blobID)
@@ -892,7 +898,7 @@ func (app *App) blobStorageRead(c *gin.Context) {
 }
 
 func (app *App) blobStorageWrite(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	blobID := common.ParamS(fileKey, c)
 
 	fileName := c.GetHeader(RmFileHeader)
@@ -910,7 +916,7 @@ func (app *App) blobStorageWrite(c *gin.Context) {
 }
 
 func (app *App) integrationsGetMetadata(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	integrationID := common.ParamS(integrationKey, c)
 	fileID := common.ParamS(fileKey, c)
 
@@ -933,7 +939,7 @@ func (app *App) integrationsGetMetadata(c *gin.Context) {
 
 func (app *App) integrationsUpload(c *gin.Context) {
 	log.Info("uploading...")
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	integrationID := common.ParamS(integrationKey, c)
 	folderID := common.ParamS(folderKey, c)
 	name := common.QueryS("name", c)
@@ -959,7 +965,7 @@ func (app *App) integrationsUpload(c *gin.Context) {
 }
 
 func (app *App) integrationsGetFile(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	integrationID := common.ParamS(integrationKey, c)
 	fileID := common.ParamS(fileKey, c)
 
@@ -983,7 +989,7 @@ func (app *App) integrationsGetFile(c *gin.Context) {
 }
 
 func (app *App) integrationsList(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	integrationID := common.ParamS(integrationKey, c)
 	folder := common.ParamS(folderKey, c)
 	folderDepthStr := c.Query("folderDepth")
@@ -1010,7 +1016,7 @@ func (app *App) integrationsList(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }
 func (app *App) integrations(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 
 	response, err := integrations.List(app.userStorer, uid)
 
@@ -1022,7 +1028,7 @@ func (app *App) integrations(c *gin.Context) {
 	c.JSON(http.StatusOK, response)
 }
 func (app *App) uploadRequest(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	var req []messages.UploadRequest
 	if err := c.ShouldBindJSON(&req); err != nil {
 		log.Errorf("could not bind %v", err)
@@ -1073,7 +1079,7 @@ func (app *App) handleHwr(c *gin.Context) {
 	c.Data(http.StatusOK, hwr.JIIX, response)
 }
 func (app *App) connectWebSocket(c *gin.Context) {
-	uid := c.GetString(userIDKey)
+	uid := userID(c)
 	deviceID := c.GetString(deviceIDKey)
 
 	log.Info("connecting websocket from: ", uid)

internal/app/middleware.go

@@ -46,7 +46,7 @@ func (app *App) authMiddleware() gin.HandlerFunc {
 			c.Set(syncVersionKey, common.Sync10)
 		}
 
-		uid := strings.TrimPrefix(claims.Profile.UserID, "auth0|")
+		uid := common.Sanitize(strings.TrimPrefix(claims.Profile.UserID, "auth0|"))
 		c.Set(userIDKey, uid)
 		c.Set(deviceIDKey, claims.DeviceID)
 		log.Infof("%s UserId: %s deviceId: %s newSync: %t", authLog, uid, claims.DeviceID, isSync15)