Fix CodeQL code scanning alerts#36858
Conversation
GiteaBot
added
the
lgtm/need 2
github-actions
bot
added
modifies/api
silverwind
added
the
type/refactoring
There was a problem hiding this comment.
Pull request overview
Addresses multiple CodeQL alerts across the codebase by hardening integer conversions and bounding allocations, improving safety around pagination/count handling, slice preallocation, and URL joining.
Changes:
- Introduces
util.Int64ToInt(clamped int64→int conversion) and applies it in pagination, template error rendering, and XORMBeforeSetenum/type mapping. - Bounds/adjusts slice preallocation to avoid allocation-size overflow and uncontrolled allocation size flags.
- Adds a guard in
util.URLJointo avoid a potential out-of-range slice on empty joined URLs.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| routers/web/repo/wiki.go | Uses safe int64→int conversion for wiki revision pagination. |
| routers/web/repo/commit.go | Uses safe int64→int conversion for commit graph and file history pagination. |
| routers/api/v1/repo/issue_dependency.go | Caps preallocated slice capacity for dependency list responses. |
| routers/api/v1/repo/commits.go | Uses safe int64→int conversion when setting pagination link headers. |
| modules/util/util.go | Adds Int64ToInt helper with clamping. |
| modules/util/url.go | Guards against empty joinedURL before slicing in URLJoin. |
| modules/util/sanitize.go | Removes potentially overflowing capacity calculation in SanitizeCredentialURLs. |
| modules/templates/htmlrenderer.go | Uses safe conversion for template error line/pos extraction. |
| modules/charset/escape_stream.go | Bounds indexes and avoids potentially problematic capacity calculations. |
| models/repo/repo_unit.go | Uses safe conversion when mapping DB type to unit.Type. |
| models/auth/source.go | Uses safe conversion when mapping DB type to auth Type. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
I do not think it's right to introduce a global Int64ToInt function. It should either correctly be handled by the callee function (e.g.: NewPagination), or use generic (Cell2Int64), or rewrite the "parsing" code (util.ToInt64) |
|
By the way, the "fix" for bad-redirect-check is not complete I have told you all the details in Prevent redirect bypasses via backslash-encoded paths #36660 
|
GiteaBot
added
lgtm/blocked
This will blow up the diff significantly, but I can try. |
It won't
It is simple task with less than 20 minutes without AI. |
It's not quite the same scenario as in #36660 and it's a false-positive, I've reverted the change. |
|
|
"Generic" |
Or fix the "callers" |
|
URLJoin should be completely fixed (avoided) like this Deprecated URLJoin #36861 |
Can't make |
Address CodeQL alerts by handling integer conversions at callee level using generics and bounding allocations: - Make paginator.New and NewPagination generic [T ~int | ~int64] to safely accept both int and int64, clamping internally - Change SetLinkHeader to accept int64 (methods can't be generic in Go) - Use strconv.Atoi(fmt.Sprint(...)) in htmlrenderer to avoid int64 intermediate - Clamp regex match indices in escape_stream to prevent allocation-size-overflow - Fix over-allocation in SanitizeCredentialURLs - Cap slice pre-allocation in GetIssueDependencies Co-Authored-By: Claude (Opus 4.6) <noreply@anthropic.com>
# Conflicts: # routers/web/repo/projects.go
|
I would suggest to spend more time on studying the legacy code. There are many bugs. We can't just only add patches to the bugs 
|
|
Don't use "Generic" for "count". I will fix. |
|
Ok go ahead. |
GiteaBot
added
lgtm/need 2
GiteaBot
added
lgtm/need 1
|
PR description updated, this will resolve 10 CodeQL issues. |
TheFox0x7
left a comment
TheFox0x7
left a comment
There was a problem hiding this comment.
lgtm overall safe for one thing.
| } | ||
|
|
||
| pager := context.NewPagination(total, setting.UI.IssuePagingNum, page, numPages) | ||
| pager := context.NewPagination(count, setting.UI.IssuePagingNum, page, 5) |
There was a problem hiding this comment.
Because it is the final answer, just like 42 .....
There was a problem hiding this comment.
The previous calculation was buggy and 5 is the value that every other caller passes to this function, essentially it's a useless argument because no caller changes it.
There was a problem hiding this comment.
And for what this number does:
It controls how many page number buttons appear in the pagination (e.g. ... 2 3 4 5 6 ...)
GiteaBot
added
lgtm/done
* origin/main: Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin
|
This PR fixed 10 issues but brought up 6 new ones: 
CodeQL feels like whack-a-mole 😆. |
|
That's why I didn't continue after Address some CodeQL security concerns #35572 |
|
I think we need some |
* main: (26 commits) Clean up `refreshViewedFilesSummary` (go-gitea#36868) Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867) Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin Fix dbfs error handling (go-gitea#36844) Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797) Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798) Fix non-admins unable to automerge PRs from forks (go-gitea#36833) upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (go-gitea#36837) Fix dump release asset bug (go-gitea#36799) build(deps): update material-icon-theme v5.32.0 (go-gitea#36832) Fix bug to check whether user can update pull request branch or rebase branch (go-gitea#36465) Fix forwarded proto handling for public URL detection (go-gitea#36810) Fix artifacts v4 backend upload problems (go-gitea#36805) ... # Conflicts: # pnpm-lock.yaml
* giteaofficial/main: Update minimum go version to 1.26.1, golangci-lint to 2.11.2, fix test style (go-gitea#36876) Add render cache for SVG icons (go-gitea#36863) Fix incorrect viewed files counter if reverted change was viewed (go-gitea#36819) [skip ci] Updated translations via Crowdin Clean up `refreshViewedFilesSummary` (go-gitea#36868) Remove `util.URLJoin` and replace all callers with direct path concatenation (go-gitea#36867) Optimize Docker build with dependency layer caching (go-gitea#36864) Fix URLJoin, markup render link reoslving, sign-in/up/linkaccount page common data (go-gitea#36861) Fix CodeQL code scanning alerts (go-gitea#36858) Refactor auth middleware (go-gitea#36848) Update Nix flake (go-gitea#36857) Update JS deps (go-gitea#36850) Load `mentionValues` asynchronously (go-gitea#36739) [skip ci] Updated translations via Crowdin Fix dbfs error handling (go-gitea#36844) Fix OAuth2 authorization code expiry and reuse handling (go-gitea#36797) Fix org permission API visibility checks for hidden members and private orgs (go-gitea#36798)
|
I've gone through all 50 open ones with Claude and most were false positives, they are all dismissed now with appropriate comments. The remaining 12 might be real: https://github.com/go-gitea/gitea/security/code-scanning |
|
Upon further analysis, all but #36884 were false positives, I dismissed them all. Once that one is merged CodeQL will be clean. |
Fixes 10 CodeQL code scanning alerts:
NewPagination/SetLinkHeaderto acceptint64for total count, clamping internally to fix incorrect-integer-conversion alerts (#110, #114, #115, #116)strconv.Atoi()inhtmlrenderer.goto avoid int64 intermediate (#105, #106)escape_stream.goto fix allocation-size-overflow (#161, #162, #163)GetIssueDependencies(#181)