From 0fb21e550bfd9c4a7461ad3dba5a7b7f4de8b7a1 Mon Sep 17 00:00:00 2001 From: fenny Date: Wed, 22 Jul 2020 01:45:11 +0200 Subject: [PATCH 1/3] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 54 +++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..f92c6776 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,54 @@ +name: "CodeQL" + +on: + push: + branches: [master, ] + pull_request: + # The branches below must be a subset of the branches above + branches: [master] + schedule: + - cron: '0 3 * * 6' + +jobs: + analyse: + name: Analyse + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + # Override language selection by uncommenting this and choosing your languages + with: + languages: go + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 43dd0c3b5dbbab082acb698e139e2af61eff1ffb Mon Sep 17 00:00:00 2001 From: kiyon Date: Wed, 22 Jul 2020 10:50:02 +0800 Subject: [PATCH 2/3] :goal_net: use panic instead of log.Fatal --- middleware/compress.go | 3 +-- middleware/compress_test.go | 11 +++++++++++ middleware/logger.go | 3 +-- middleware/logger_test.go | 11 +++++++++++ middleware/request_id.go | 3 +-- middleware/request_id_test.go | 12 ++++++++++++ 6 files changed, 37 insertions(+), 6 deletions(-) diff --git a/middleware/compress.go b/middleware/compress.go index 51d5bc05..37530a28 100644 --- a/middleware/compress.go +++ b/middleware/compress.go @@ -2,7 +2,6 @@ package middleware import ( "fmt" - "log" fiber "github.com/gofiber/fiber" fasthttp "github.com/valyala/fasthttp" @@ -51,7 +50,7 @@ func Compress(options ...interface{}) fiber.Handler { case CompressConfig: config = opt default: - log.Fatal("Compress: the following option types are allowed: int, func(*fiber.Ctx) bool, CompressConfig") + panic("Compress: the following option types are allowed: int, func(*fiber.Ctx) bool, CompressConfig") } } } diff --git a/middleware/compress_test.go b/middleware/compress_test.go index c9350743..36eeda80 100644 --- a/middleware/compress_test.go +++ b/middleware/compress_test.go @@ -133,6 +133,17 @@ func Test_Middleware_Compress_Skip(t *testing.T) { utils.AssertEqual(t, fiber.MIMETextPlainCharsetUTF8, resp.Header.Get(fiber.HeaderContentType)) } +// go test -run Test_Middleware_Compress_Panic +func Test_Middleware_Compress_Panic(t *testing.T) { + defer func() { + utils.AssertEqual(t, + "Compress: the following option types are allowed: int, func(*fiber.Ctx) bool, CompressConfig", + fmt.Sprintf("%s", recover())) + }() + + Compress("invalid") +} + // go test -v -run=^$ -bench=Benchmark_Middleware_Compress -benchmem -count=4 func Benchmark_Middleware_Compress(b *testing.B) { app := fiber.New() diff --git a/middleware/logger.go b/middleware/logger.go index 1f533e27..9b24ea29 100644 --- a/middleware/logger.go +++ b/middleware/logger.go @@ -4,7 +4,6 @@ import ( "bytes" "fmt" "io" - "log" "os" "strconv" "strings" @@ -178,7 +177,7 @@ func Logger(options ...interface{}) fiber.Handler { case LoggerConfig: config = opt default: - log.Fatal("Logger: the following option types are allowed: string, io.Writer, LoggerConfig") + panic("Logger: the following option types are allowed: string, io.Writer, LoggerConfig") } } } diff --git a/middleware/logger_test.go b/middleware/logger_test.go index 33864b12..a1d14602 100644 --- a/middleware/logger_test.go +++ b/middleware/logger_test.go @@ -135,6 +135,17 @@ func Test_Middleware_Logger_Options_And_WithConfig(t *testing.T) { } } +// go test -run Test_Middleware_Logger_Panic +func Test_Middleware_Logger_Panic(t *testing.T) { + defer func() { + utils.AssertEqual(t, + "Logger: the following option types are allowed: string, io.Writer, LoggerConfig", + fmt.Sprintf("%s", recover())) + }() + + Logger(0) +} + func Test_isTimeZone(t *testing.T) { type args struct { name string diff --git a/middleware/request_id.go b/middleware/request_id.go index b00ff1af..69a0f301 100644 --- a/middleware/request_id.go +++ b/middleware/request_id.go @@ -2,7 +2,6 @@ package middleware import ( "fmt" - "log" fiber "github.com/gofiber/fiber" utils "github.com/gofiber/utils" @@ -61,7 +60,7 @@ func RequestID(options ...interface{}) fiber.Handler { case RequestIDConfig: config = opt default: - log.Fatal("RequestID: the following option types are allowed: `string`, `func() string`, `func(*fiber.Ctx) bool`, `RequestIDConfig`") + panic("RequestID: the following option types are allowed: string, func() string, func(*fiber.Ctx) bool, RequestIDConfig") } } } diff --git a/middleware/request_id_test.go b/middleware/request_id_test.go index a50b7897..1583a056 100644 --- a/middleware/request_id_test.go +++ b/middleware/request_id_test.go @@ -1,6 +1,7 @@ package middleware import ( + "fmt" "net/http" "net/http/httptest" "testing" @@ -152,6 +153,17 @@ func Test_Middleware_RequestID_Skip(t *testing.T) { utils.AssertEqual(t, "", resp.Header.Get(RequestIDConfigDefault.Header), RequestIDConfigDefault.Header) } +// go test -run Test_Middleware_RequestID_Panic +func Test_Middleware_RequestID_Panic(t *testing.T) { + defer func() { + utils.AssertEqual(t, + "RequestID: the following option types are allowed: string, func() string, func(*fiber.Ctx) bool, RequestIDConfig", + fmt.Sprintf("%s", recover())) + }() + + RequestID(0) +} + // go test -v -run=^$ -bench=Benchmark_Middleware_RequestID -benchmem -count=4 func Benchmark_Middleware_RequestID(b *testing.B) { From aacfb619747b5e0cb6165f8da6db426d802c4b6b Mon Sep 17 00:00:00 2001 From: Thomas van Vugt <56607882+thomasvvugt@users.noreply.github.com> Date: Wed, 22 Jul 2020 15:49:09 +0200 Subject: [PATCH 3/3] :pencil: Update Security Policy --- SECURITY.md => .github/SECURITY.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) rename SECURITY.md => .github/SECURITY.md (84%) diff --git a/SECURITY.md b/.github/SECURITY.md similarity index 84% rename from SECURITY.md rename to .github/SECURITY.md index 2a6d6335..30d08a5c 100644 --- a/SECURITY.md +++ b/.github/SECURITY.md @@ -10,18 +10,18 @@ The table below shows the supported versions for Fiber which include security updates. -| Version | Supported | -| -------- | ------------------ | -| >= 1.9.x | :white_check_mark: | -| < 1.9.0 | :x: | +| Version | Supported | +| --------- | ------------------ | +| >= 1.12.6 | :white_check_mark: | +| < 1.12.6 | :x: | ## Reporting security problems to Fiber **DO NOT CREATE AN ISSUE** to report a security problem. Instead, please -join our discord server via [this invite link](https://discord.gg/bSnH7db) -and create a new ticket in our `#support` channel by typing -`!new Security problem`. +send us an e-mail at `team@gofiber.io` or join our discord server via +[this invite link](https://discord.gg/bSnH7db) and send a private message +to Fenny or any of the maintainers. ## Security Point of Contact @@ -32,7 +32,7 @@ latest. In case Fenny does not respond within a reasonable time, the secondary point of contact are any of the [@maintainers](https://github.com/orgs/gofiber/teams/maintainers). -The maintainers only other persons with administrative access to Fiber's source code. +The maintainers are the only other persons with administrative access to Fiber's source code. ## Incident Response Process