Fix code security issue: CWE-79, CWE-116, CWE-190 and CWE-681

cookies.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

currentTube.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

currentTubeJobs.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

currentTubeJobsActionsRow.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

currentTubeJobsShowcase.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

currentTubeJobsSummaryTable.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

currentTubeSearchResults.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

handlers.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //
@@ -12,6 +12,7 @@
 package main
 
 import (
+	"html"
 	"io"
 	"net/http"
 	"net/url"
@@ -53,15 +54,15 @@ func handlerServer(w http.ResponseWriter, r *http.Request) {
 	action := r.URL.Query().Get("action")
 	switch action {
 	case "reloader":
-		_, _ = io.WriteString(w, getServerTubes(server))
+		_, _ = io.WriteString(w, html.EscapeString(getServerTubes(server)))
 		return
 	case "clearTubes":
 		_ = r.ParseForm()
 		clearTubes(server, r.Form)
 		_, _ = io.WriteString(w, `{"result":true}`)
 		return
 	}
-	_, _ = io.WriteString(w, tplServer(getServerTubes(server), server))
+	_, _ = io.WriteString(w, html.EscapeString(tplServer(getServerTubes(server), server)))
 }
 
 // handlerTube handle request on router: /tube
@@ -79,7 +80,7 @@ func handlerTube(w http.ResponseWriter, r *http.Request) {
 		return
 	case "search":
 		content := searchTube(server, tube, r.URL.Query().Get("limit"), r.URL.Query().Get("searchStr"))
-		_, _ = io.WriteString(w, tplTube(content, server, tube))
+		_, _ = io.WriteString(w, html.EscapeString(tplTube(content, server, tube)))
 		return
 	case "addSample":
 		_ = r.ParseForm()
@@ -137,7 +138,7 @@ func handleRedirect(w http.ResponseWriter, r *http.Request, server string, tube
 		w.Header().Set("Location", link.String())
 		w.WriteHeader(307)
 	}
-	_, _ = io.WriteString(w, tplTube(currentTube(server, tube), server, tube))
+	_, _ = io.WriteString(w, html.EscapeString(tplTube(currentTube(server, tube), server, tube)))
 }
 
 // handlerSample handle request on router: /sample
@@ -148,13 +149,13 @@ func handlerSample(w http.ResponseWriter, r *http.Request) {
 	server := r.URL.Query().Get("server")
 	switch action {
 	case "manageSamples":
-		_, _ = io.WriteString(w, tplSampleJobsManage(getSampleJobList(), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(getSampleJobList(), server)))
 		return
 	case "newSample":
-		_, _ = io.WriteString(w, tplSampleJobsManage(tplSampleJobEdit("", ""), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(tplSampleJobEdit("", ""), server)))
 		return
 	case "editSample":
-		_, _ = io.WriteString(w, tplSampleJobsManage(tplSampleJobEdit(r.URL.Query().Get("key"), ""), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(tplSampleJobEdit(r.URL.Query().Get("key"), ""), server)))
 		return
 	case "actionNewSample":
 		_ = r.ParseForm()
@@ -191,5 +192,5 @@ func handlerStatistics(w http.ResponseWriter, r *http.Request) {
 		_, _ = io.WriteString(w, statisticWaitress(server, tube))
 		return
 	}
-	_, _ = io.WriteString(w, tplStatistic(server, tube))
+	_, _ = io.WriteString(w, html.EscapeString(tplStatistic(server, tube)))
 }

lib.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //
@@ -12,6 +12,7 @@
 package main
 
 import (
+	"math"
 	"net/url"
 	"strconv"
 	"strings"
@@ -22,11 +23,14 @@ import (
 
 // addJob puts a job into tube by given config.
 func addJob(server string, tube string, data string, priority string, delay string, TTR string) {
-	var err error
-	var tubePriority, tubeDelay, tubeTTR int
-	var bstkConn *beanstalk.Conn
-	tubePriority, err = strconv.Atoi(priority)
-	if err != nil {
+	var (
+		err                error
+		tubeDelay, tubeTTR int
+		tubePriority       uint64
+		bstkConn           *beanstalk.Conn
+	)
+	tubePriority, err = strconv.ParseUint(priority, 10, 32)
+	if err != nil || tubePriority > math.MaxUint32 {
 		tubePriority = DefaultPriority
 	}
 	tubeDelay, err = strconv.Atoi(delay)

main.go

@@ -1,6 +1,6 @@
 //go:generate statik -src=./public
 
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

modalAddJob.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

modalAddSample.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

modalClearTubes.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

sampleJobUtils.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //
@@ -261,7 +261,7 @@ func newSample(server string, f url.Values, w http.ResponseWriter, r *http.Reque
 	alert := `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> Required fields are not set</span></div>`
 	err = readConf()
 	if err != nil {
-		_, _ = io.WriteString(w, tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> Read config error</span></div>`), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> Read config error</span></div>`), server)))
 		return
 	}
 	for k, v := range f {
@@ -281,16 +281,16 @@ func newSample(server string, f url.Values, w http.ResponseWriter, r *http.Reque
 		}
 	}
 	if len(tubes) == 0 || name == "" || body == "" || ttr == "" {
-		_, _ = io.WriteString(w, tplSampleJobsManage(tplSampleJobEdit("", alert), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(tplSampleJobEdit("", alert), server)))
 		return
 	}
 	if checkSampleJobs(name) {
-		_, _ = io.WriteString(w, tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> You already have a job with this name</span></div>`), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> You already have a job with this name</span></div>`), server)))
 		return
 	}
 	sampleTTR, err = strconv.Atoi(ttr)
 	if err != nil {
-		_, _ = io.WriteString(w, tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> You should give a correct TTR with this sample</span></div>`), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> You should give a correct TTR with this sample</span></div>`), server)))
 		return
 	}
 	sampleJobs.Jobs = append(sampleJobs.Jobs, SampleJob{
@@ -302,7 +302,7 @@ func newSample(server string, f url.Values, w http.ResponseWriter, r *http.Reque
 	})
 	err = saveSample()
 	if err != nil {
-		_, _ = io.WriteString(w, tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> Save sample job error</span></div>`), server))
+		_, _ = io.WriteString(w, html.EscapeString(tplSampleJobsManage(tplSampleJobEdit("", `<div class="alert alert-danger" id="sjsa"><button type="button" class="close" onclick="$('#sjsa').fadeOut('fast');">×</button><span> Save sample job error</span></div>`), server)))
 		return
 	}
 	w.Header().Set("Location", "./sample?action=manageSamples")

statisticsUtils.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

structs.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplFilter.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplMain.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplNav.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplSampleJobEdit.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplSampleJobsManage.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplSearchTube.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplServer.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplStatistic.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplStatisticEdit.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplStatisticSetting.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

tplTube.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //

utils.go

@@ -1,4 +1,4 @@
-// Copyright 2016 - 2020 The aurora Authors. All rights reserved. Use of this
+// Copyright 2016 - 2021 The aurora Authors. All rights reserved. Use of this
 // source code is governed by a MIT license that can be found in the LICENSE
 // file.
 //