1
1
mirror of https://github.com/go-gitea/gitea synced 2025-07-23 02:38:35 +00:00

Handle base64 decoding correctly to avoid panic (#26483)

Fix the panic if the "base64 secret" is too long.
This commit is contained in:
wxiaoguang
2023-08-14 18:30:16 +08:00
committed by GitHub
parent cafce3b4b5
commit ed1be4ca68
8 changed files with 43 additions and 30 deletions

View File

@@ -9,6 +9,7 @@ import (
"time"
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/util"
)
// LFS represents the configuration for Git LFS
@@ -56,17 +57,14 @@ func loadLFSFrom(rootCfg ConfigProvider) error {
LFS.HTTPAuthExpiry = sec.Key("LFS_HTTP_AUTH_EXPIRY").MustDuration(24 * time.Hour)
if !LFS.StartServer {
if !LFS.StartServer || !InstallLock {
return nil
}
LFS.JWTSecretBase64 = loadSecret(rootCfg.Section("server"), "LFS_JWT_SECRET_URI", "LFS_JWT_SECRET")
LFS.JWTSecretBytes = make([]byte, 32)
n, err := base64.RawURLEncoding.Decode(LFS.JWTSecretBytes, []byte(LFS.JWTSecretBase64))
if (err != nil || n != 32) && InstallLock {
LFS.JWTSecretBase64, err = generate.NewJwtSecretBase64()
LFS.JWTSecretBytes, err = util.Base64FixedDecode(base64.RawURLEncoding, []byte(LFS.JWTSecretBase64), 32)
if err != nil {
LFS.JWTSecretBytes, LFS.JWTSecretBase64, err = generate.NewJwtSecretBase64()
if err != nil {
return fmt.Errorf("error generating JWT Secret for custom config: %v", err)
}

View File

@@ -10,6 +10,7 @@ import (
"code.gitea.io/gitea/modules/generate"
"code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/util"
)
// OAuth2UsernameType is enum describing the way gitea 'name' should be generated from oauth2 data
@@ -129,21 +130,19 @@ func loadOAuth2From(rootCfg ConfigProvider) {
}
if InstallLock {
key := make([]byte, 32)
n, err := base64.RawURLEncoding.Decode(key, []byte(OAuth2.JWTSecretBase64))
if err != nil || n != 32 {
key, err = generate.NewJwtSecret()
if _, err := util.Base64FixedDecode(base64.RawURLEncoding, []byte(OAuth2.JWTSecretBase64), 32); err != nil {
key, err := generate.NewJwtSecret()
if err != nil {
log.Fatal("error generating JWT secret: %v", err)
}
secretBase64 := base64.RawURLEncoding.EncodeToString(key)
OAuth2.JWTSecretBase64 = base64.RawURLEncoding.EncodeToString(key)
saveCfg, err := rootCfg.PrepareSaving()
if err != nil {
log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
}
rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64)
saveCfg.Section("oauth2").Key("JWT_SECRET").SetValue(OAuth2.JWTSecretBase64)
if err := saveCfg.Save(); err != nil {
log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
}