Merge pull request #750 from containerish/fix/code-ql-recommendations

fix: CodeQL recommendations

dfs/mock/memMappedSystem.go

@@ -75,6 +75,10 @@ func (ms *memMappedMockStorage) UploadPart(
 	content io.ReadSeeker,
 	contentLength int64,
 ) (s3types.CompletedPart, error) {
+	if err := ms.validateLayerPrefix(layerKey); err != nil {
+		return s3types.CompletedPart{}, err
+	}
+
 	fd, err := ms.memFs.OpenFile(layerKey, os.O_RDWR|os.O_CREATE, os.ModePerm)
 	if err != nil {
 		return s3types.CompletedPart{}, err
@@ -108,6 +112,10 @@ func (ms *memMappedMockStorage) CompleteMultipartUpload(
 }
 
 func (ms *memMappedMockStorage) Upload(ctx context.Context, identifier, digest string, content []byte) (string, error) {
+	if err := ms.validateLayerPrefix(identifier); err != nil {
+		return "", err
+	}
+
 	fd, err := ms.memFs.Create(identifier)
 	if err != nil {
 		return "", err
@@ -178,7 +186,23 @@ func (ms *memMappedMockStorage) Metadata(layer *types.ContainerImageLayer) (*typ
 	}, nil
 }
 
+func (ms *memMappedMockStorage) validateLayerPrefix(identifier string) error {
+	if len(identifier) <= LayerKeyPrefixLen || identifier[0:LayerKeyPrefixLen] != LayerKeyPrefix {
+		return fmt.Errorf(
+			"invalid layer prefix. Found: %s, expected: %s",
+			identifier[0:LayerKeyPrefixLen],
+			LayerKeyPrefix,
+		)
+	}
+
+	return nil
+}
+
 func (ms *memMappedMockStorage) GetUploadProgress(identifier, uploadID string) (*types.ObjectMetadata, error) {
+	if err := ms.validateLayerPrefix(identifier); err != nil {
+		return nil, err
+	}
+
 	fd, err := ms.memFs.Open(identifier)
 	if err != nil {
 		return nil, err
@@ -209,6 +233,10 @@ func (ms *memMappedMockStorage) GeneratePresignedURL(ctx context.Context, key st
 }
 
 func (ms *memMappedMockStorage) AbortMultipartUpload(ctx context.Context, layerKey string, uploadId string) error {
+	if err := ms.validateLayerPrefix(layerKey); err != nil {
+		return err
+	}
+
 	if err := ms.memFs.Remove(layerKey); err != nil {
 		return err
 	}
@@ -228,6 +256,11 @@ func (ms *memMappedMockStorage) FileServer() {
 
 	e.Add(http.MethodGet, "/:uuid", func(ctx echo.Context) error {
 		fileID := ctx.Param("uuid")
+		if err := ms.validateLayerPrefix(fileID); err != nil {
+			return ctx.JSON(http.StatusBadRequest, echo.Map{
+				"error": err.Error(),
+			})
+		}
 		fd, err := ms.memFs.Open(fileID)
 		if err != nil {
 			return ctx.JSON(http.StatusBadRequest, echo.Map{

dfs/mock/mock.go

@@ -1,10 +1,11 @@
 package mock
 
 import (
+	"github.com/fatih/color"
+
 	"github.com/containerish/OpenRegistry/config"
 	"github.com/containerish/OpenRegistry/dfs"
 	"github.com/containerish/OpenRegistry/telemetry"
-	"github.com/fatih/color"
 )
 
 func NewMockStorage(
@@ -27,6 +28,7 @@ func NewMockStorage(
 }
 
 const (
-	MockFSPath     = ".mock-fs"
-	LayerKeyPrefix = "layers"
+	MockFSPath        = ".mock-fs"
+	LayerKeyPrefix    = "layers"
+	LayerKeyPrefixLen = len(LayerKeyPrefix) // to account for trailing slash
 )

dfs/mock/mockFileSystem.go

@@ -52,7 +52,7 @@ func newFileBasedMockStorage(
 	_ = os.MkdirAll(MockFSPath, os.ModePerm)
 	_ = os.MkdirAll(fmt.Sprintf("%s/%s", MockFSPath, LayerKeyPrefix), os.ModePerm)
 	mocker := &fileBasedMockStorage{
-		fs:              afero.NewBasePathFs(afero.NewOsFs(), ".mock-fs"),
+		fs:              afero.NewBasePathFs(afero.NewOsFs(), MockFSPath),
 		uploadSession:   make(map[string]string),
 		config:          cfg,
 		serviceEndpoint: net.JoinHostPort(parsedHost.Hostname(), "5002"),
@@ -69,15 +69,6 @@ func (ms *fileBasedMockStorage) CreateMultipartUpload(layerKey string) (string,
 	return sessionId, nil
 }
 
-func (ms *fileBasedMockStorage) validateLayerPath(layerKey string) error {
-	layerKeyParts := strings.Split(layerKey, "/")
-	if len(layerKeyParts) != 2 || layerKeyParts[0] != LayerKeyPrefix {
-		return fmt.Errorf("invalid layer key format")
-	}
-
-	return nil
-}
-
 func (ms *fileBasedMockStorage) UploadPart(
 	ctx context.Context,
 	uploadId string,
@@ -87,6 +78,10 @@ func (ms *fileBasedMockStorage) UploadPart(
 	content io.ReadSeeker,
 	contentLength int64,
 ) (s3types.CompletedPart, error) {
+	if err := ms.validateLayerPrefix(layerKey); err != nil {
+		return s3types.CompletedPart{}, err
+	}
+
 	fd, err := ms.fs.OpenFile(layerKey, os.O_RDWR|os.O_CREATE, os.ModePerm)
 	if err != nil {
 		return s3types.CompletedPart{}, err
@@ -120,8 +115,20 @@ func (ms *fileBasedMockStorage) CompleteMultipartUpload(
 	return layerKey, nil
 }
 
+func (ms *fileBasedMockStorage) validateLayerPrefix(identifier string) error {
+	if len(identifier) <= LayerKeyPrefixLen || identifier[0:LayerKeyPrefixLen] != LayerKeyPrefix {
+		return fmt.Errorf(
+			"invalid layer prefix. Found: %s, expected: %s",
+			identifier[0:LayerKeyPrefixLen],
+			LayerKeyPrefix,
+		)
+	}
+
+	return nil
+}
+
 func (ms *fileBasedMockStorage) Upload(ctx context.Context, identifier, digest string, content []byte) (string, error) {
-	if err := ms.validateLayerPath(identifier); err != nil {
+	if err := ms.validateLayerPrefix(identifier); err != nil {
 		return "", err
 	}
 
@@ -195,6 +202,10 @@ func (ms *fileBasedMockStorage) Metadata(layer *types.ContainerImageLayer) (*typ
 }
 
 func (ms *fileBasedMockStorage) GetUploadProgress(identifier, uploadID string) (*types.ObjectMetadata, error) {
+	if err := ms.validateLayerPrefix(identifier); err != nil {
+		return nil, err
+	}
+
 	fd, err := ms.fs.Open(identifier)
 	if err != nil {
 		return nil, err

go.mod

@@ -38,12 +38,12 @@ require (
 	github.com/sendgrid/sendgrid-go v3.16.0+incompatible
 	github.com/spf13/afero v1.11.0
 	github.com/spf13/viper v1.19.0
-	github.com/uptrace/bun v1.2.2
-	github.com/uptrace/bun/dialect/pgdialect v1.2.2
-	github.com/uptrace/bun/dialect/sqlitedialect v1.2.2
-	github.com/uptrace/bun/driver/pgdriver v1.2.2
-	github.com/uptrace/bun/driver/sqliteshim v1.2.2
-	github.com/uptrace/bun/extra/bundebug v1.2.2
+	github.com/uptrace/bun v1.2.3
+	github.com/uptrace/bun/dialect/pgdialect v1.2.3
+	github.com/uptrace/bun/dialect/sqlitedialect v1.2.3
+	github.com/uptrace/bun/driver/pgdriver v1.2.3
+	github.com/uptrace/bun/driver/sqliteshim v1.2.3
+	github.com/uptrace/bun/extra/bundebug v1.2.3
 	github.com/urfave/cli/v2 v2.27.4
 	go.opentelemetry.io/contrib/instrumentation/github.com/labstack/echo/otelecho v0.54.0
 	go.opentelemetry.io/contrib/processors/baggagecopy v0.1.0
@@ -245,7 +245,7 @@ require (
 	lukechampine.com/blake3 v1.3.0 // indirect
 	mellium.im/sasl v0.3.1 // indirect
 	modernc.org/gc/v3 v3.0.0-20240801135723-a856999a2e4a // indirect
-	modernc.org/libc v1.60.0 // indirect
+	modernc.org/libc v1.60.1 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
 	modernc.org/sqlite v1.32.0 // indirect

go.sum

@@ -766,18 +766,18 @@ github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc h1:9lRDQMhESg+zvGYm
 github.com/tmthrgd/go-hex v0.0.0-20190904060850-447a3041c3bc/go.mod h1:bciPuU6GHm1iF1pBvUfxfsH0Wmnc2VbpgvbI9ZWuIRs=
 github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb h1:Ywfo8sUltxogBpFuMOFRrrSifO788kAFxmvVw31PtQQ=
 github.com/ucarion/urlpath v0.0.0-20200424170820-7ccc79b76bbb/go.mod h1:ikPs9bRWicNw3S7XpJ8sK/smGwU9WcSVU3dy9qahYBM=
-github.com/uptrace/bun v1.2.2 h1:+PxDjUQotbncTDJ66ieIvoJ0ax/uzDeQrz+HQUVYzfo=
-github.com/uptrace/bun v1.2.2/go.mod h1:8frYFHrO/Zol3I4FEjoXam0HoNk+t5k7aJRl3FXp0mk=
-github.com/uptrace/bun/dialect/pgdialect v1.2.2 h1:+wjHevzczr2rUPFkMataSrfms5389QWKtjs0+DPrixs=
-github.com/uptrace/bun/dialect/pgdialect v1.2.2/go.mod h1:yAXC0eUVm6o81QiZcBjXxNdSqgUX1sCmwTU4GEBb48E=
-github.com/uptrace/bun/dialect/sqlitedialect v1.2.2 h1:LECPgenuszEgytndZ7Se7si1ROrj2hBYFl7VkkEUsDI=
-github.com/uptrace/bun/dialect/sqlitedialect v1.2.2/go.mod h1:zC1dqXkcU5agts1rmmI32VYdlZbKVAaRgKCrLC1DzY0=
-github.com/uptrace/bun/driver/pgdriver v1.2.2 h1:AwOhgNu6ctu3b3U5jnk1S2EcEfM5jNzswiRXsUtQnfQ=
-github.com/uptrace/bun/driver/pgdriver v1.2.2/go.mod h1:iq3/e8GQDzPqWh26OAAOgLW3Zm51RpxHY8uKlb84648=
-github.com/uptrace/bun/driver/sqliteshim v1.2.2 h1:G8y5eWx9X6wKi6mYmO0XO1IWo+Itrwztv0GD06G5vBY=
-github.com/uptrace/bun/driver/sqliteshim v1.2.2/go.mod h1:YKWhRh5GFRoCb8ahq8wRMWnXWNheVz+6d4XX4JiAc7E=
-github.com/uptrace/bun/extra/bundebug v1.2.2 h1:9MoNv6XVDpeRpbpjhJiDw2TqBCHTwptR7NXAx/itxCw=
-github.com/uptrace/bun/extra/bundebug v1.2.2/go.mod h1:TGpIztKGSPeEGYd8k4Q0UOIj41GBzqJnGS5g9IWVn4w=
+github.com/uptrace/bun v1.2.3 h1:6KDc6YiNlXde38j9ATKufb8o7MS8zllhAOeIyELKrk0=
+github.com/uptrace/bun v1.2.3/go.mod h1:8frYFHrO/Zol3I4FEjoXam0HoNk+t5k7aJRl3FXp0mk=
+github.com/uptrace/bun/dialect/pgdialect v1.2.3 h1:YyCxxqeL0lgFWRZzKCOt6mnxUsjqITcxSo0mLqgwMUA=
+github.com/uptrace/bun/dialect/pgdialect v1.2.3/go.mod h1:Vx9TscyEq1iN4tnirn6yYGwEflz0KG3rBZTBCLpKAjc=
+github.com/uptrace/bun/dialect/sqlitedialect v1.2.3 h1:gCxqT9pFpZxc6iRokdS6QrPF894ycBLxnh/3m7qQeQ0=
+github.com/uptrace/bun/dialect/sqlitedialect v1.2.3/go.mod h1:eNiDNdfChKUpPZUTDivb/YvWGvHVsVhCBwDCQ0PvtR8=
+github.com/uptrace/bun/driver/pgdriver v1.2.3 h1:VA5TKB0XW7EtreQq2R8Qu/vCAUX2ECaprxGKI9iDuDE=
+github.com/uptrace/bun/driver/pgdriver v1.2.3/go.mod h1:yDiYTZYd4FfXFtV01m4I/RkI33IGj9N254jLStaeJLs=
+github.com/uptrace/bun/driver/sqliteshim v1.2.3 h1:9xGBRmoUJYOUFfnylapoU2oGr3S7+KTGOgEPqQ/X5Lo=
+github.com/uptrace/bun/driver/sqliteshim v1.2.3/go.mod h1:hoS3aDbLz87d8Tq4FEGEjL7sWAPa5YZeTz/VL4nuWKs=
+github.com/uptrace/bun/extra/bundebug v1.2.3 h1:2QBykz9/u4SkN9dnraImDcbrMk2fUhuq2gL6hkh9qSc=
+github.com/uptrace/bun/extra/bundebug v1.2.3/go.mod h1:bihsYJxXxWZXwc1R3qALTHvp+npE0ElgaCvcjzyPPdw=
 github.com/urfave/cli v1.22.10/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
 github.com/urfave/cli/v2 v2.27.4 h1:o1owoI+02Eb+K107p27wEX9Bb8eqIoZCfLXloLUSWJ8=
 github.com/urfave/cli/v2 v2.27.4/go.mod h1:m4QzxcD2qpra4z7WhzEGn74WZLViBnMpb1ToCAKdGRQ=
@@ -1193,8 +1193,8 @@ modernc.org/gc/v2 v2.5.0 h1:bJ9ChznK1L1mUtAQtxi0wi5AtAs5jQuw4PrPHO5pb6M=
 modernc.org/gc/v2 v2.5.0/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
 modernc.org/gc/v3 v3.0.0-20240801135723-a856999a2e4a h1:CfbpOLEo2IwNzJdMvE8aiRbPMxoTpgAJeyePh0SmO8M=
 modernc.org/gc/v3 v3.0.0-20240801135723-a856999a2e4a/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
-modernc.org/libc v1.60.0 h1:XeRF1gXky7JE5E8IErtYAdKj+ykZPdYUsgJNQ8RFWIA=
-modernc.org/libc v1.60.0/go.mod h1:xJuobKuNxKH3RUatS7GjR+suWj+5c2K7bi4m/S5arOY=
+modernc.org/libc v1.60.1 h1:at373l8IFRTkJIkAU85BIuUoBM4T1b51ds0E1ovPG2s=
+modernc.org/libc v1.60.1/go.mod h1:xJuobKuNxKH3RUatS7GjR+suWj+5c2K7bi4m/S5arOY=
 modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
 modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
 modernc.org/memory v1.8.0 h1:IqGTL6eFMaDZZhEWwcREgeMXYwmW83LYW8cROZYkg+E=

main.go

@@ -7,10 +7,11 @@ import (
 	"os"
 	"strings"
 
+	"github.com/urfave/cli/v2"
+
 	"github.com/containerish/OpenRegistry/cmd/extras"
 	"github.com/containerish/OpenRegistry/cmd/migrations"
 	"github.com/containerish/OpenRegistry/cmd/registry"
-	"github.com/urfave/cli/v2"
 )
 
 var (

registry/v2/registry.go

@@ -112,15 +112,15 @@ func (r *registry) Catalog(ctx echo.Context) error {
 	var pageSize int
 	var offset int
 	if queryParamPageSize != "" {
-		ps, err := strconv.ParseInt(ctx.QueryParam("n"), 10, 64)
+		ps, err := strconv.Atoi(ctx.QueryParam("n"))
 		if err != nil {
 			echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
 				"error": err.Error(),
 			})
 			r.logger.Log(ctx, err).Send()
 			return echoErr
 		}
-		pageSize = int(ps)
+		pageSize = ps
 	}
 
 	if queryParamOffset != "" {

telemetry/log.go

@@ -7,11 +7,12 @@ import (
 	"time"
 
 	"github.com/axiomhq/axiom-go/axiom"
-	"github.com/containerish/OpenRegistry/config"
-	"github.com/containerish/OpenRegistry/types"
 	"github.com/fatih/color"
 	"github.com/labstack/echo/v4"
 	"github.com/rs/zerolog"
+
+	"github.com/containerish/OpenRegistry/config"
+	"github.com/containerish/OpenRegistry/types"
 )
 
 type Logger interface {