From d6e81ca65a2d03b2fec188965e794d0b84dd46a5 Mon Sep 17 00:00:00 2001 From: Alex Wu Date: Wed, 22 May 2024 13:29:29 +0800 Subject: [PATCH] core/shutdown/tracker: fix security alert for size computation for allocation may overflow && codeql-analysis to v3 --- .github/workflows/codeql-analysis.yml | 8 ++++---- core/shutdown/tracker.go | 7 +++++-- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 54e3d7b0..25b41170 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -43,7 +43,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,7 +54,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v3 diff --git a/core/shutdown/tracker.go b/core/shutdown/tracker.go index 2054814f..d9df66c6 100644 --- a/core/shutdown/tracker.go +++ b/core/shutdown/tracker.go @@ -2,7 +2,6 @@ package shutdown import ( "fmt" - "io/ioutil" "os" "path" ) @@ -24,6 +23,10 @@ func (t *Tracker) Check() error { if len(bhbs) <= 0 { return nil } + max_file_size := 512 + if len(bhbs) > max_file_size*1024 { // 512 kb + return fmt.Errorf("file size large than %d kb : %s", max_file_size, t.filePath) + } err = fmt.Errorf("Illegal withdrawal at block:%s, you can cleanup your block data base by '--cleanup'.", string(bhbs)) log.Error(err.Error()) return err @@ -72,7 +75,7 @@ func ReadFile(path string) ([]byte, error) { } } - ba, err := ioutil.ReadFile(path) + ba, err := os.ReadFile(path) if err != nil { return nil, err }