From 1cf537662a2e2c5a6e5724b3f1d18cc7f48b9891 Mon Sep 17 00:00:00 2001 From: Jason Streifling Date: Mon, 3 Feb 2025 10:40:33 +0100 Subject: [PATCH 1/3] Check if data is long enough to be decrypted --- cmd/backend/users.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cmd/backend/users.go b/cmd/backend/users.go index 47d76e4..c01a1cf 100644 --- a/cmd/backend/users.go +++ b/cmd/backend/users.go @@ -117,6 +117,9 @@ func aesDecrypt(c *Config, ciphertext string) (string, error) { } nonceSize := gcm.NonceSize() + if len(data) < nonceSize { + return "", errors.New("ciphertext too short") + } nonce, cipherText := data[:nonceSize], data[nonceSize:] plaintext, err := gcm.Open(nil, nonce, cipherText, nil) From 9b4a8e1890a9a2ec460fbb874e486f66ba896edb Mon Sep 17 00:00:00 2001 From: Jason Streifling Date: Mon, 3 Feb 2025 10:40:54 +0100 Subject: [PATCH 2/3] Add error checking for every occurance of rows.Next() --- cmd/backend/articles.go | 11 +++++++++++ cmd/backend/articles_authors.go | 4 ++++ cmd/backend/articles_contributors.go | 4 ++++ cmd/backend/articles_tags.go | 4 ++++ cmd/backend/tags.go | 4 ++++ cmd/backend/users.go | 10 ++++++++-- 6 files changed, 35 insertions(+), 2 deletions(-) diff --git a/cmd/backend/articles.go b/cmd/backend/articles.go index deeb93c..aa23ce9 100644 --- a/cmd/backend/articles.go +++ b/cmd/backend/articles.go @@ -175,6 +175,10 @@ func (db *DB) GetCertainArticles(attribute string, value bool) ([]*Article, erro articleList = append(articleList, article) } + if err = rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + return articleList, nil } @@ -243,6 +247,13 @@ func (db *DB) GetCurrentIssueArticles() ([]*Article, error) { articleList = append(articleList, article) } + if err = rows.Err(); err != nil { + if rollbackErr := tx.Rollback(); rollbackErr != nil { + log.Fatalf("transaction error: %v, rollback error: %v", err, rollbackErr) + } + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + if err = tx.Commit(); err != nil { return nil, fmt.Errorf("error committing transaction when getting articles of issue %v: %v", issueID, err) } diff --git a/cmd/backend/articles_authors.go b/cmd/backend/articles_authors.go index 0f4ef9e..d2a76b0 100644 --- a/cmd/backend/articles_authors.go +++ b/cmd/backend/articles_authors.go @@ -68,6 +68,10 @@ func (db *DB) GetArticleAuthors(c *Config, articleID int64) ([]*User, error) { authors = append(authors, author) } + if err = rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + return authors, nil } diff --git a/cmd/backend/articles_contributors.go b/cmd/backend/articles_contributors.go index 696c606..e2a6e9a 100644 --- a/cmd/backend/articles_contributors.go +++ b/cmd/backend/articles_contributors.go @@ -68,6 +68,10 @@ func (db *DB) GetArticleContributors(c *Config, articleID int64) ([]*User, error contributors = append(contributors, contributor) } + if err = rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + return contributors, nil } diff --git a/cmd/backend/articles_tags.go b/cmd/backend/articles_tags.go index 0cc9652..d1ba29e 100644 --- a/cmd/backend/articles_tags.go +++ b/cmd/backend/articles_tags.go @@ -61,6 +61,10 @@ func (db *DB) GetArticleTags(articleID int64) ([]*Tag, error) { tags = append(tags, tag) } + if err = rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + return tags, nil } diff --git a/cmd/backend/tags.go b/cmd/backend/tags.go index 8a56d45..2b143ef 100644 --- a/cmd/backend/tags.go +++ b/cmd/backend/tags.go @@ -31,5 +31,9 @@ func (db *DB) GetTagList() ([]*Tag, error) { tagList = append(tagList, tag) } + if err = rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + return tagList, nil } diff --git a/cmd/backend/users.go b/cmd/backend/users.go index c01a1cf..15ce79c 100644 --- a/cmd/backend/users.go +++ b/cmd/backend/users.go @@ -453,8 +453,6 @@ func (db *DB) AddFirstUser(c *Config, u *User, pass string) (int64, error) { func (db *DB) GetAllUsers(c *Config) ([]*User, error) { var aesFirstName, aesLastName, aesEmail string - var err error - query := "SELECT id, username, first_name, last_name, email, profile_pic_link, role FROM users" rows, err := db.Query(query) @@ -487,6 +485,10 @@ func (db *DB) GetAllUsers(c *Config) ([]*User, error) { users = append(users, user) } + if err = rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + return users, nil } @@ -526,6 +528,10 @@ func (db *DB) GetAllUsersMap(c *Config) (map[int64]*User, error) { users[user.ID] = user } + if err = rows.Err(); err != nil { + return nil, fmt.Errorf("error iterating over rows: %v", err) + } + return users, nil } From 951949f98ddf0bee88faedf90109799e60e15c14 Mon Sep 17 00:00:00 2001 From: Jason Streifling Date: Mon, 3 Feb 2025 10:44:06 +0100 Subject: [PATCH 3/3] Give an article's clone its own uuid. This fixes a bug resulting in an infinite loop of writing stuff to a file. --- cmd/frontend/articles.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/frontend/articles.go b/cmd/frontend/articles.go index 26088db..098b286 100644 --- a/cmd/frontend/articles.go +++ b/cmd/frontend/articles.go @@ -901,6 +901,7 @@ func AllowEditArticle(c *b.Config, db *b.DB, s map[string]*Session) http.Handler } newArticle := *oldArticle + newArticle.UUID = uuid.New() newArticle.Published = false newArticle.Rejected = true newArticle.EditedID = oldArticle.ID