fixed issues from opencode agent
This commit is contained in:
@@ -11,6 +11,7 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"xorm.io/xorm"
|
||||
|
||||
"github.com/forgeo/forgebucket/internal/domain/oci"
|
||||
@@ -513,7 +514,7 @@ func newOCIUploadID() string {
|
||||
}
|
||||
|
||||
func (h *OCIRegistryHandler) basicAuthOCI(r *http.Request) string {
|
||||
u, _, hasAuth := r.BasicAuth()
|
||||
u, pass, hasAuth := r.BasicAuth()
|
||||
if !hasAuth {
|
||||
return ""
|
||||
}
|
||||
@@ -521,5 +522,8 @@ func (h *OCIRegistryHandler) basicAuthOCI(r *http.Request) string {
|
||||
if found, _ := h.db.Where("username = ?", u).Get(&user); !found {
|
||||
return ""
|
||||
}
|
||||
if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(pass)); err != nil {
|
||||
return ""
|
||||
}
|
||||
return u
|
||||
}
|
||||
|
||||
@@ -211,8 +211,8 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, bus even
|
||||
})
|
||||
})
|
||||
r.Get("/artifacts/{artifactID}/download", artifactH.Download)
|
||||
r.Get("/artifacts/{artifactID}/signature", artifactH.GetSignature)
|
||||
r.Get("/artifacts/{artifactID}/verify", artifactH.VerifySignature)
|
||||
r.Get("/artifacts/{artifactID}/signature", artifactH.GetSignature)
|
||||
r.Get("/artifacts/{artifactID}/verify", artifactH.VerifySignature)
|
||||
r.Route("/members", func(r chi.Router) {
|
||||
r.Get("/", memberH.List)
|
||||
r.With(csrf).Post("/", memberH.Add)
|
||||
|
||||
@@ -27,7 +27,7 @@ type Registry struct {
|
||||
// New creates a Registry rooted at ociRoot, creating the directory tree if needed.
|
||||
func New(ociRoot string) (*Registry, error) {
|
||||
for _, sub := range []string{"blobs/sha256", "uploads"} {
|
||||
if err := os.MkdirAll(filepath.Join(ociRoot, sub), 0755); err != nil {
|
||||
if err := os.MkdirAll(filepath.Join(ociRoot, sub), 0700); err != nil {
|
||||
return nil, fmt.Errorf("oci: init storage %s: %w", sub, err)
|
||||
}
|
||||
}
|
||||
@@ -174,7 +174,7 @@ func (r *Registry) FinishUpload(uploadID, clientDigest string) (digest string, s
|
||||
// new total offset.
|
||||
func (r *Registry) AppendUpload(uploadID string, src io.Reader) (newOffset int64, err error) {
|
||||
path := r.UploadPath(uploadID)
|
||||
f, err := os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0644)
|
||||
f, err := os.OpenFile(path, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600)
|
||||
if err != nil {
|
||||
return 0, fmt.Errorf("oci: open upload for append: %w", err)
|
||||
}
|
||||
@@ -291,9 +291,10 @@ func digestHex(digest string) (string, error) {
|
||||
return h, nil
|
||||
}
|
||||
|
||||
// sanitiseID strips any path separators from an upload ID.
|
||||
// sanitiseID returns only the last path component of an upload ID,
|
||||
// preventing any path traversal regardless of encoding.
|
||||
func sanitiseID(id string) string {
|
||||
return strings.NewReplacer("/", "", "\\", "", "..", "").Replace(id)
|
||||
return filepath.Base(id)
|
||||
}
|
||||
|
||||
// ParseOCIPath extracts the image name and the operation kind from a path
|
||||
|
||||
@@ -65,11 +65,17 @@ func (g *Generator) Start(ctx context.Context) {
|
||||
// generateForRun generates an SBOM for the pipeline run identified by runID.
|
||||
func (g *Generator) generateForRun(runID, repoID int64) {
|
||||
var run models.PipelineRun
|
||||
if found, _ := g.db.ID(runID).Get(&run); !found {
|
||||
if found, err := g.db.ID(runID).Get(&run); err != nil {
|
||||
log.Printf("sbom: look up run %d: %v", runID, err)
|
||||
return
|
||||
} else if !found {
|
||||
return
|
||||
}
|
||||
var repo models.Repository
|
||||
if found, _ := g.db.ID(repoID).Get(&repo); !found {
|
||||
if found, err := g.db.ID(repoID).Get(&repo); err != nil {
|
||||
log.Printf("sbom: look up repo %d: %v", repoID, err)
|
||||
return
|
||||
} else if !found {
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@@ -69,7 +69,10 @@ func (s *Scanner) scanPush(evt events.PushEvent) {
|
||||
|
||||
// Resolve repo.
|
||||
var repo models.Repository
|
||||
if found, _ := s.db.ID(evt.RepoID).Get(&repo); !found {
|
||||
if found, err := s.db.ID(evt.RepoID).Get(&repo); err != nil {
|
||||
log.Printf("scanning: look up repo %d: %v", evt.RepoID, err)
|
||||
return
|
||||
} else if !found {
|
||||
return
|
||||
}
|
||||
|
||||
@@ -112,11 +115,11 @@ func (s *Scanner) scanPush(evt events.PushEvent) {
|
||||
|
||||
// getDiff returns the unified diff of all changes between two refs.
|
||||
func (s *Scanner) getDiff(repoPath, oldRef, newRef string) ([]byte, error) {
|
||||
// If oldRef is the zero OID (new branch), just get the initial commit content.
|
||||
// If oldRef is the zero OID (new branch), diff-tree against the empty tree so
|
||||
// we get actual file contents rather than ls-tree metadata.
|
||||
zeroOID := "0000000000000000000000000000000000000000"
|
||||
if oldRef == zeroOID {
|
||||
// Show the entire tree at the new ref.
|
||||
out, err := gitdomain.Run(repoPath, "ls-tree", "-r", newRef)
|
||||
out, err := gitdomain.Run(repoPath, "diff-tree", "--no-commit-id", "-r", "-p", newRef)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -115,7 +115,8 @@ func (s *Scanner) DismissFindings(findingID int64, dismissedBy string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *Scanner) persistFindings(repoID int64, purl, version string, vulns []OSVVuln) []models.VulnerabilityFinding {var findings []models.VulnerabilityFinding
|
||||
func (s *Scanner) persistFindings(repoID int64, purl, version string, vulns []OSVVuln) []models.VulnerabilityFinding {
|
||||
var findings []models.VulnerabilityFinding
|
||||
for _, v := range vulns {
|
||||
// Check for duplicate before inserting.
|
||||
existing := &models.VulnerabilityFinding{}
|
||||
|
||||
Reference in New Issue
Block a user