SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00
Code Issues Releases Activity Actions

Make json parsing more strict
Some checks are pending
Go / build (push) Waiting to run
Details
Go / run_modver (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
koplas 2025-07-02 17:06:25 +02:00
parent c833c00f84
commit fc3837d655
No known key found for this signature in database
13 changed files with 68 additions and 36 deletions
Download patch file Download diff file Expand all files Collapse all files

4
cmd/csaf_aggregator/interim.go
View file

@ -13,7 +13,6 @@ import (
"crypto/sha256"
"crypto/sha512"
"encoding/csv"
"encoding/json"
"errors"
"fmt"
"io"
@ -25,6 +24,7 @@ import (
"time"
"github.com/gocsaf/csaf/v3/csaf"
"github.com/gocsaf/csaf/v3/internal/misc"
"github.com/gocsaf/csaf/v3/util"
)
@ -81,7 +81,7 @@ func (w *worker) checkInterims(
if err := func() error {
defer res.Body.Close()
tee := io.TeeReader(res.Body, hasher)
return json.NewDecoder(tee).Decode(&doc)
return misc.StrictJSONParse(tee, &doc)
}(); err != nil {
return nil, err
}

5
cmd/csaf_aggregator/mirror.go
View file

@ -13,7 +13,6 @@ import (
"crypto/sha256"
"crypto/sha512"
"encoding/hex"
"encoding/json"
"fmt"
"io"
"log/slog"
@ -31,6 +30,7 @@ import (
"github.com/ProtonMail/gopenpgp/v2/crypto"
"github.com/gocsaf/csaf/v3/csaf"
"github.com/gocsaf/csaf/v3/internal/misc"
"github.com/gocsaf/csaf/v3/util"
)
@ -538,7 +538,7 @@ func (w *worker) mirrorFiles(tlpLabel csaf.TLPLabel, files []csaf.AdvisoryFile)
download := func(r io.Reader) error {
tee := io.TeeReader(r, hasher)
return json.NewDecoder(tee).Decode(&advisory)
return misc.StrictJSONParse(tee, &advisory)
}
if err := downloadJSON(w.client, file.URL(), download); err != nil {
@ -627,7 +627,6 @@ func (w *worker) mirrorFiles(tlpLabel csaf.TLPLabel, files []csaf.AdvisoryFile)
// If this fails it creates a signature itself with the configured key.
func (w *worker) downloadSignatureOrSign(url, fname string, data []byte) error {
sig, err := w.downloadSignature(url)
if err != nil {
if err != errNotFound {
w.log.Error("Could not find signature URL", "url", url, "err", err)

11
cmd/csaf_checker/processor.go
View file

@ -15,10 +15,8 @@ import (
"crypto/sha512"
"crypto/tls"
"encoding/csv"
"encoding/json"
"errors"
"fmt"
"github.com/gocsaf/csaf/v3/internal/misc"
"io"
"log"
"net/http"
@ -30,6 +28,8 @@ import (
"strings"
"time"
"github.com/gocsaf/csaf/v3/internal/misc"
"github.com/ProtonMail/gopenpgp/v2/crypto"
"golang.org/x/time/rate"
@ -518,7 +518,7 @@ func (p *processor) rolieFeedEntries(feed string) ([]csaf.AdvisoryFile, error) {
return nil, nil, fmt.Errorf("%s: %v", feed, err)
}
var rolieDoc any
err = json.NewDecoder(bytes.NewReader(all)).Decode(&rolieDoc)
err = misc.StrictJSONParse(bytes.NewReader(all), &rolieDoc)
return rfeed, rolieDoc, err
}()
if err != nil {
@ -702,7 +702,7 @@ func (p *processor) integrity(
if err := func() error {
defer res.Body.Close()
tee := io.TeeReader(res.Body, hasher)
return json.NewDecoder(tee).Decode(&doc)
return misc.StrictJSONParse(tee, &doc)
}(); err != nil {
lg(ErrorType, "Reading %s failed: %v", u, err)
continue
@ -1035,8 +1035,7 @@ func (p *processor) checkChanges(base string, mask whereType) error {
}
path := r[pathColumn]
times, files =
append(times, t),
times, files = append(times, t),
append(files, csaf.DirectoryAdvisoryFile{Path: path})
p.timesChanges[path] = t
}

3
cmd/csaf_downloader/downloader.go
View file

@ -35,6 +35,7 @@ import (
"golang.org/x/time/rate"
"github.com/gocsaf/csaf/v3/csaf"
"github.com/gocsaf/csaf/v3/internal/misc"
"github.com/gocsaf/csaf/v3/util"
)
@ -551,7 +552,7 @@ func (dc *downloadContext) downloadAdvisory(
tee := io.TeeReader(resp.Body, hasher)
if err := json.NewDecoder(tee).Decode(&doc); err != nil {
if err := misc.StrictJSONParse(tee, &doc); err != nil {
dc.stats.downloadFailed++
slog.Warn("Downloading failed",
"url", file.URL(),

7
cmd/csaf_uploader/processor.go
View file

@ -11,7 +11,6 @@ package main
import (
"bytes"
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"io"
@ -91,7 +90,7 @@ func (p *processor) create() error {
Errors []string `json:"errors"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
if err := misc.StrictJSONParse(resp.Body, &result); err != nil {
return err
}
@ -115,7 +114,7 @@ func (p *processor) uploadRequest(filename string) (*http.Request, error) {
if !p.cfg.NoSchemaCheck {
var doc any
if err := json.NewDecoder(bytes.NewReader(data)).Decode(&doc); err != nil {
if err := misc.StrictJSONParse(bytes.NewReader(data), &doc); err != nil {
return nil, err
}
errs, err := csaf.ValidateCSAF(doc)
@ -239,7 +238,7 @@ func (p *processor) process(filename string) error {
Errors []string `json:"errors"`
}
if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
if err := misc.StrictJSONParse(resp.Body, &result); err != nil {
return err
}

4
cmd/csaf_validator/main.go
View file

@ -10,7 +10,6 @@
package main
import (
"encoding/json"
"fmt"
"log"
"os"
@ -19,6 +18,7 @@ import (
"github.com/jessevdk/go-flags"
"github.com/gocsaf/csaf/v3/csaf"
"github.com/gocsaf/csaf/v3/internal/misc"
"github.com/gocsaf/csaf/v3/util"
)
@ -301,7 +301,7 @@ func loadJSONFromFile(fname string) (any, error) {
}
defer f.Close()
var doc any
if err = json.NewDecoder(f).Decode(&doc); err != nil {
if err = misc.StrictJSONParse(f, &doc); err != nil {
return nil, err
}
return doc, err