Fix more deepsource issues

Author: Eggbertx

cmd/gochan-migration/internal/pre2021/pre2021_test.go

@@ -38,7 +38,7 @@ func setupMigrationTest(t *testing.T, outDir string, migrateInPlace bool) *Pre20
 		}
 		defer oldDbFile.Close()
 
-		newDbFile, err := os.OpenFile(migratedDBHost, os.O_CREATE|os.O_WRONLY, 0644)
+		newDbFile, err := os.OpenFile(migratedDBHost, os.O_CREATE|os.O_WRONLY, 0600)
 		if !assert.NoError(t, err) {
 			t.FailNow()
 		}

pkg/manage/actionsModPerm.go

@@ -219,7 +219,7 @@ func filterHitsCallback(writer http.ResponseWriter, request *http.Request, staff
 			errEv.Err(err).Caller().RawJSON("postData", []byte(hit.PostData)).Msg("Unable to marshal un-minified post data")
 			return nil, err
 		}
-		hitsJSON = append(hitsJSON, template.HTML(strings.ReplaceAll(jsonBuf.String(), "\n", "<br>")))
+		hitsJSON = append(hitsJSON, template.HTML(strings.ReplaceAll(jsonBuf.String(), "\n", "<br>"))) // skipcq: GSC-G203
 	}
 	var buf bytes.Buffer
 	if err = serverutil.MinifyTemplate(gctemplates.ManageFilterHits, map[string]any{

pkg/posting/formatting.go

@@ -18,7 +18,7 @@ var (
 	msgfmtr         MessageFormatter
 	urlRE           = regexp.MustCompile(`https?://(\S+)`)
 	unsetBBcodeTags = []string{"center", "color", "img", "quote", "size"}
-	diceRoller      = regexp.MustCompile(`(?i)\[(\d*)d(\d+)(?:([+-])(\d+))?\]`)
+	diceRoller      = regexp.MustCompile(`(?i)(\S*)\[(\d*)d(\d+)(?:([+-])(\d+))?\](\S*)`)
 )
 
 // InitPosting prepares the formatter and the temp post pruner
@@ -142,13 +142,13 @@ func ApplyDiceRoll(p *gcsql.Post) (rollSum int, err error) {
 			continue
 		}
 		numDice := 1
-		if roll[1] != "" {
-			numDice, err = strconv.Atoi(roll[1])
+		if roll[2] != "" {
+			numDice, err = strconv.Atoi(roll[2])
 			if err != nil {
 				return 0, err
 			}
 		}
-		dieSize, err := strconv.Atoi(roll[2])
+		dieSize, err := strconv.Atoi(roll[3])
 		if err != nil {
 			return 0, err
 		}
@@ -157,27 +157,27 @@ func ApplyDiceRoll(p *gcsql.Post) (rollSum int, err error) {
 		}
 		for i := 0; i < numDice; i++ {
 			rollSum += rand.Intn(dieSize) + 1 // skipcq: GSC-G404
-			switch roll[3] {
+			switch roll[4] {
 			case "+":
-				mod, err := strconv.Atoi(roll[4])
+				mod, err := strconv.Atoi(roll[5])
 				if err != nil {
 					return 0, err
 				}
 				rollSum += mod
 			case "-":
-				mod, err := strconv.Atoi(roll[4])
+				mod, err := strconv.Atoi(roll[5])
 				if err != nil {
 					return 0, err
 				}
 				rollSum -= mod
 			}
 		}
-		words[w] = fmt.Sprintf(`<span class="dice-roll">%dd%d`, numDice, dieSize)
-		if roll[3] != "" {
-			words[w] += roll[3] + roll[4]
+		words[w] = fmt.Sprintf(`%s<span class="dice-roll">%dd%d`, roll[1], numDice, dieSize)
+		if roll[4] != "" {
+			words[w] += roll[4] + roll[5]
 		}
-		words[w] += fmt.Sprintf(" = %d</span>", rollSum)
+		words[w] += fmt.Sprintf(" = %d</span>%s", rollSum, roll[6])
 	}
-	p.Message = template.HTML(strings.Join(words, " "))
+	p.Message = template.HTML(strings.Join(words, " ")) // skipcq: GSC-G203
 	return
 }

pkg/posting/formatting_test.go

@@ -74,6 +74,25 @@ var (
 			expectMin: 1,
 			expectMax: 8,
 		},
+		{
+			desc: "before[1d6]after, no space",
+			post: gcsql.Post{
+				MessageRaw: "before[1d6]after",
+			},
+			matcher:   regexp.MustCompile(`before<span class="dice-roll">1d6 = \d</span>after`),
+			expectMin: 1,
+			expectMax: 6,
+		},
+		{
+			desc: "before [1d6] after, no space (test for injection)",
+			post: gcsql.Post{
+				MessageRaw: `<script>alert("lol")</script>[1d6]<script>alert("lmao")</script>`,
+			},
+			expectError: false,
+			matcher:     regexp.MustCompile(`&lt;script&gt;alert\(&#34;lol&#34;\)&lt;/script&gt;<span class="dice-roll">1d6 = \d</span>&lt;script&gt;alert\(&#34;lmao&#34;\)&lt;/script&gt;`),
+			expectMin:   1,
+			expectMax:   6,
+		},
 	}
 )
 

pkg/server/serverutil/antispam_test.go

@@ -52,7 +52,7 @@ type checkRefererTestCase struct {
 func TestCheckReferer(t *testing.T) {
 	config.SetVersion("4.0.0")
 	systemCriticalConfig := config.GetSystemCriticalConfig()
-	req, err := http.NewRequest("GET", "http://gochan.org", nil)
+	req, err := http.NewRequest("GET", "https://gochan.org", nil)
 	if !assert.NoError(t, err) {
 		t.FailNow()
 	}

pkg/server/serverutil/util_test.go

@@ -36,7 +36,7 @@ type isRequestingJSONTestCase struct {
 }
 
 func TestIsRequestingJSON(t *testing.T) {
-	req, _ := http.NewRequest("GET", "http://localhost:8080", nil)
+	req, _ := http.NewRequest("GET", "https://localhost:8080", nil)
 	assert.False(t, IsRequestingJSON(req))
 	for _, tc := range isRequestingJSONTestCases {
 		t.Run("GET "+tc.val, func(t *testing.T) {
@@ -70,7 +70,7 @@ func (w *testResponseWriter) WriteHeader(s int) {
 }
 
 func TestDeleteCookie(t *testing.T) {
-	req, _ := http.NewRequest("GET", "http://localhost:8080", nil)
+	req, _ := http.NewRequest("GET", "https://localhost:8080", nil)
 	writer := testResponseWriter{
 		header: make(http.Header),
 	}

tools/get_js.py

@@ -25,7 +25,7 @@
 			case _:
 				out_dir = sys.argv[1]
 
-	with urlopen(DOWNLOAD_URL) as response:
+	with urlopen(DOWNLOAD_URL) as response: # skipcq: BAN-B310
 		data = response.read()
 		tar_bytes = gzip.decompress(data)
 		buf = io.BytesIO(tar_bytes)

tools/selenium_testing/tests/test_staff_permissions.py

@@ -27,7 +27,7 @@ def setUpClass(cls):
 		req = Request(urljoin(options.site, "manage/actions"))
 		# modern browsers add pretty printing to JSON so we need to pass the session cookie to a request to get the raw action list data
 		req.add_header("Cookie", f"sessiondata={cookie}")
-		with urlopen(req) as resp:
+		with urlopen(req) as resp: # skipcq: BAN-B310
 			global actions
 			actions = json.load(resp)