fix(security): resolve multiple vulnerability.

Vulnerability identified and fix provided by Kolega.dev (https://kolega.dev)
2026-03-03 00:27:02 +00:00 · 2026-01-14 12:39:42 +08:00
parent f01ed64bdb
commit e8f965e980
5 changed files with 21 additions and 4 deletions
--- a/inventory/client.go
+++ b/inventory/client.go
@@ -67,7 +67,7 @@ func NewRawEntClient(l logging.Logger, config conf.ConfigProvider) (*ent.Client,
 	}
 	// If Database connection string provided, use it directly.
 	if dbConfig.DatabaseURL != "" {
-		l.Info("Connect to database with connection string %q.", dbConfig.DatabaseURL)
+		l.Info("Connect to database with connection string")
 		client, err = sql.Open(string(confDBType), dbConfig.DatabaseURL)
 	} else {

--- a/inventory/user.go
+++ b/inventory/user.go
@@ -600,7 +600,7 @@ func withUserEagerLoading(ctx context.Context, q *ent.UserQuery) *ent.UserQuery

 func digestPassword(password string) (string, error) {
 	//生成16位 Salt
-	salt := util.RandStringRunes(16)
+	salt := util.RandStringRunesCrypto(32)

 	//计算 Salt 和密码组合的SHA1摘要
 	hash := sha256.New()
--- a/pkg/auth/hmac.go
+++ b/pkg/auth/hmac.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"crypto/hmac"
 	"crypto/sha256"
+	"crypto/subtle"
 	"encoding/base64"
 	"io"
 	"strconv"
@@ -49,7 +50,7 @@ func (auth HMACAuth) Check(body string, sign string) error {
 	}

 	// 验证签名
-	if auth.Sign(body, expires) != sign {
+	if subtle.ConstantTimeCompare([]byte(auth.Sign(body, expires)), []byte(sign)) != 1 {
 		return serializer.NewError(serializer.CodeInvalidSign, "invalid sign", nil)
 	}
 	return nil
--- a/pkg/filemanager/manager/upload.go
+++ b/pkg/filemanager/manager/upload.go
@@ -154,7 +154,7 @@ func (m *manager) ConfirmUploadSession(ctx context.Context, session *fs.UploadSe
 	}

 	// Confirm locks on placeholder file
-	if session.LockToken == "" {
+	if session.LockToken != "" {
 		release, ls, err := m.fs.ConfirmLock(ctx, file, file.Uri(false), session.LockToken)
 		if err != nil {
 			return nil, fs.ErrLockExpired.WithError(err)
--- a/pkg/util/common.go
+++ b/pkg/util/common.go
@@ -2,7 +2,9 @@ package util

 import (
 	"context"
+	cryptoRand "crypto/rand"
 	"fmt"
+	"math/big"
 	"math/rand"
 	"path"
 	"path/filepath"
@@ -34,6 +36,20 @@ func RandStringRunes(n int) string {
 	return string(b)
 }

+func RandStringRunesCrypto(n int) string {
+	b := make([]rune, n)
+	for i := range b {
+		num, err := cryptoRand.Int(cryptoRand.Reader, big.NewInt(int64(len(RandomVariantAll))))
+		if err != nil {
+			// fallback to math/rand on crypto failure
+			b[i] = RandomVariantAll[rand.Intn(len(RandomVariantAll))]
+		} else {
+			b[i] = RandomVariantAll[num.Int64()]
+		}
+	}
+	return string(b)
+}
+
 // RandString returns random string in given length and variant
 func RandString(n int, variant []rune) string {
 	b := make([]rune, n)