From fcdb6df0f45ed220bebce79e66ab78eb4298f088 Mon Sep 17 00:00:00 2001 From: Daniel Hawton Date: Sat, 7 Sep 2024 16:00:44 -0600 Subject: [PATCH] redowngrade cookie Signed-off-by: Daniel Hawton --- go.mod | 6 +- .../gin-contrib/sessions/.goreleaser.yaml | 57 ++++++++++---- .../github.com/gin-contrib/sessions/README.md | 14 ++-- .../sessions/session_options_go1.10.go | 1 - .../sessions/session_options_go1.11.go | 4 +- .../gorilla/securecookie/.editorconfig | 20 ----- .../gorilla/securecookie/.gitignore | 1 - .../gorilla/securecookie/.travis.yml | 19 +++++ .../github.com/gorilla/securecookie/LICENSE | 2 +- .../github.com/gorilla/securecookie/Makefile | 39 ---------- .../github.com/gorilla/securecookie/README.md | 76 ++----------------- .../github.com/gorilla/securecookie/fuzz.go | 25 ++++++ .../gorilla/securecookie/securecookie.go | 45 +++++------ .../github.com/gorilla/sessions/.editorconfig | 20 ----- vendor/github.com/gorilla/sessions/.gitignore | 1 - vendor/github.com/gorilla/sessions/AUTHORS | 43 +++++++++++ vendor/github.com/gorilla/sessions/LICENSE | 2 +- vendor/github.com/gorilla/sessions/Makefile | 34 --------- vendor/github.com/gorilla/sessions/README.md | 18 ++--- vendor/github.com/gorilla/sessions/cookie.go | 20 ++--- .../gorilla/sessions/cookie_go111.go | 20 +++++ vendor/github.com/gorilla/sessions/options.go | 14 +--- .../gorilla/sessions/options_go111.go | 22 ++++++ vendor/github.com/gorilla/sessions/store.go | 32 ++++---- vendor/modules.txt | 12 +-- 25 files changed, 249 insertions(+), 298 deletions(-) delete mode 100644 vendor/github.com/gorilla/securecookie/.editorconfig delete mode 100644 vendor/github.com/gorilla/securecookie/.gitignore create mode 100644 vendor/github.com/gorilla/securecookie/.travis.yml delete mode 100644 vendor/github.com/gorilla/securecookie/Makefile create mode 100644 vendor/github.com/gorilla/securecookie/fuzz.go delete mode 100644 vendor/github.com/gorilla/sessions/.editorconfig delete mode 100644 vendor/github.com/gorilla/sessions/.gitignore create mode 100644 vendor/github.com/gorilla/sessions/AUTHORS delete mode 100644 vendor/github.com/gorilla/sessions/Makefile create mode 100644 vendor/github.com/gorilla/sessions/cookie_go111.go create mode 100644 vendor/github.com/gorilla/sessions/options_go111.go diff --git a/go.mod b/go.mod index e76d619d..dc4d66ca 100644 --- a/go.mod +++ b/go.mod @@ -14,7 +14,7 @@ require ( github.com/aws/aws-sdk-go v1.55.5 github.com/gabriel-vasile/mimetype v1.4.5 github.com/gin-contrib/cors v1.7.2 - github.com/gin-contrib/sessions v1.0.1 + github.com/gin-contrib/sessions v0.0.5 github.com/gin-gonic/gin v1.10.0 github.com/go-co-op/gocron v1.37.0 github.com/go-playground/assert/v2 v2.2.0 @@ -78,8 +78,8 @@ require ( github.com/golang/protobuf v1.5.4 // indirect github.com/google/uuid v1.6.0 github.com/gorilla/context v1.1.2 // indirect - github.com/gorilla/securecookie v1.1.2 // indirect - github.com/gorilla/sessions v1.4.0 // indirect + github.com/gorilla/securecookie v1.1.1 // indirect + github.com/gorilla/sessions v1.2.1 // indirect github.com/huandu/xstrings v1.5.0 // indirect github.com/jinzhu/inflection v1.0.0 // indirect github.com/jinzhu/now v1.1.5 // indirect diff --git a/vendor/github.com/gin-contrib/sessions/.goreleaser.yaml b/vendor/github.com/gin-contrib/sessions/.goreleaser.yaml index dc3a01fb..aa5453cf 100644 --- a/vendor/github.com/gin-contrib/sessions/.goreleaser.yaml +++ b/vendor/github.com/gin-contrib/sessions/.goreleaser.yaml @@ -1,26 +1,57 @@ +project_name: queue + builds: - - skip: true + - + # If true, skip the build. + # Useful for library projects. + # Default is false + skip: true changelog: - use: github + # Set it to true if you wish to skip the changelog generation. + # This may result in an empty release notes on GitHub/GitLab/Gitea. + skip: false + + # Changelog generation implementation to use. + # + # Valid options are: + # - `git`: uses `git log`; + # - `github`: uses the compare GitHub API, appending the author login to the changelog. + # - `gitlab`: uses the compare GitLab API, appending the author name and email to the changelog. + # - `github-native`: uses the GitHub release notes generation API, disables the groups feature. + # + # Defaults to `git`. + use: git + + # Sorts the changelog by the commit's messages. + # Could either be asc, desc or empty + # Default is empty + sort: asc + + # Group commits messages by given regex and title. + # Order value defines the order of the groups. + # Proving no regex means all commits will be grouped under the default group. + # Groups are disabled when using github-native, as it already groups things by itself. + # + # Default is no groups. groups: - title: Features regexp: "^.*feat[(\\w)]*:+.*$" order: 0 - - title: "Bug fixes" + - title: 'Bug fixes' regexp: "^.*fix[(\\w)]*:+.*$" order: 1 - - title: "Enhancements" + - title: 'Enhancements' regexp: "^.*chore[(\\w)]*:+.*$" order: 2 - - title: "Refactor" - regexp: "^.*refactor[(\\w)]*:+.*$" - order: 3 - - title: "Build process updates" - regexp: ^.*?(build|ci)(\(.+\))??!?:.+$ - order: 4 - - title: "Documentation updates" - regexp: ^.*?docs?(\(.+\))??!?:.+$ - order: 4 - title: Others order: 999 + + filters: + # Commit messages matching the regexp listed here will be removed from + # the changelog + # Default is empty + exclude: + - '^docs' + - 'CICD' + - typo diff --git a/vendor/github.com/gin-contrib/sessions/README.md b/vendor/github.com/gin-contrib/sessions/README.md index 86f4d0f9..9984794e 100644 --- a/vendor/github.com/gin-contrib/sessions/README.md +++ b/vendor/github.com/gin-contrib/sessions/README.md @@ -1,10 +1,11 @@ # sessions -[![Run CI Lint](https://github.com/gin-contrib/sessions/actions/workflows/lint.yml/badge.svg?branch=master)](https://github.com/gin-contrib/sessions/actions/workflows/lint.yml) -[![Run Testing](https://github.com/gin-contrib/sessions/actions/workflows/testing.yml/badge.svg?branch=master)](https://github.com/gin-contrib/sessions/actions/workflows/testing.yml) +[![Run CI Lint](https://github.com/gin-contrib/sessions/actions/workflows/lint.yml/badge.svg)](https://github.com/gin-contrib/sessions/actions/workflows/lint.yml) +[![Run Testing](https://github.com/gin-contrib/sessions/actions/workflows/testing.yml/badge.svg)](https://github.com/gin-contrib/sessions/actions/workflows/testing.yml) [![codecov](https://codecov.io/gh/gin-contrib/sessions/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/sessions) [![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/sessions)](https://goreportcard.com/report/github.com/gin-contrib/sessions) [![GoDoc](https://godoc.org/github.com/gin-contrib/sessions?status.svg)](https://godoc.org/github.com/gin-contrib/sessions) +[![Join the chat at https://gitter.im/gin-gonic/gin](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/gin-gonic/gin) Gin middleware for session management with multi-backend support: @@ -12,7 +13,7 @@ Gin middleware for session management with multi-backend support: - [Redis](#redis) - [memcached](#memcached) - [MongoDB](#mongodb) -- [GORM](#gorm) +- [GoRM](#gorm) - [memstore](#memstore) - [PostgreSQL](#postgresql) @@ -250,7 +251,6 @@ func main() { ### MongoDB #### mgo - ```go package main @@ -291,8 +291,7 @@ func main() { ``` #### mongo-driver - -```go +``` package main import ( @@ -372,8 +371,9 @@ func main() { } ``` -### GORM +### GoRM +[embedmd]:# (_example/gorm/main.go go) ```go package main diff --git a/vendor/github.com/gin-contrib/sessions/session_options_go1.10.go b/vendor/github.com/gin-contrib/sessions/session_options_go1.10.go index 68c88081..623473e8 100644 --- a/vendor/github.com/gin-contrib/sessions/session_options_go1.10.go +++ b/vendor/github.com/gin-contrib/sessions/session_options_go1.10.go @@ -1,4 +1,3 @@ -//go:build !go1.11 // +build !go1.11 package sessions diff --git a/vendor/github.com/gin-contrib/sessions/session_options_go1.11.go b/vendor/github.com/gin-contrib/sessions/session_options_go1.11.go index 65da3387..02b2e5e7 100644 --- a/vendor/github.com/gin-contrib/sessions/session_options_go1.11.go +++ b/vendor/github.com/gin-contrib/sessions/session_options_go1.11.go @@ -1,12 +1,10 @@ -//go:build go1.11 // +build go1.11 package sessions import ( - "net/http" - gsessions "github.com/gorilla/sessions" + "net/http" ) // Options stores configuration for a session or session store. diff --git a/vendor/github.com/gorilla/securecookie/.editorconfig b/vendor/github.com/gorilla/securecookie/.editorconfig deleted file mode 100644 index 2940ec92..00000000 --- a/vendor/github.com/gorilla/securecookie/.editorconfig +++ /dev/null @@ -1,20 +0,0 @@ -; https://editorconfig.org/ - -root = true - -[*] -insert_final_newline = true -charset = utf-8 -trim_trailing_whitespace = true -indent_style = space -indent_size = 2 - -[{Makefile,go.mod,go.sum,*.go,.gitmodules}] -indent_style = tab -indent_size = 4 - -[*.md] -indent_size = 4 -trim_trailing_whitespace = false - -eclint_indent_style = unset diff --git a/vendor/github.com/gorilla/securecookie/.gitignore b/vendor/github.com/gorilla/securecookie/.gitignore deleted file mode 100644 index 84039fec..00000000 --- a/vendor/github.com/gorilla/securecookie/.gitignore +++ /dev/null @@ -1 +0,0 @@ -coverage.coverprofile diff --git a/vendor/github.com/gorilla/securecookie/.travis.yml b/vendor/github.com/gorilla/securecookie/.travis.yml new file mode 100644 index 00000000..6f440f1e --- /dev/null +++ b/vendor/github.com/gorilla/securecookie/.travis.yml @@ -0,0 +1,19 @@ +language: go +sudo: false + +matrix: + include: + - go: 1.3 + - go: 1.4 + - go: 1.5 + - go: 1.6 + - go: 1.7 + - go: tip + allow_failures: + - go: tip + +script: + - go get -t -v ./... + - diff -u <(echo -n) <(gofmt -d .) + - go vet $(go list ./... | grep -v /vendor/) + - go test -v -race ./... diff --git a/vendor/github.com/gorilla/securecookie/LICENSE b/vendor/github.com/gorilla/securecookie/LICENSE index bb9d80bc..0e5fb872 100644 --- a/vendor/github.com/gorilla/securecookie/LICENSE +++ b/vendor/github.com/gorilla/securecookie/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2023 The Gorilla Authors. All rights reserved. +Copyright (c) 2012 Rodrigo Moraes. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are diff --git a/vendor/github.com/gorilla/securecookie/Makefile b/vendor/github.com/gorilla/securecookie/Makefile deleted file mode 100644 index 2b9008a2..00000000 --- a/vendor/github.com/gorilla/securecookie/Makefile +++ /dev/null @@ -1,39 +0,0 @@ -GO_LINT=$(shell which golangci-lint 2> /dev/null || echo '') -GO_LINT_URI=github.com/golangci/golangci-lint/cmd/golangci-lint@latest - -GO_SEC=$(shell which gosec 2> /dev/null || echo '') -GO_SEC_URI=github.com/securego/gosec/v2/cmd/gosec@latest - -GO_VULNCHECK=$(shell which govulncheck 2> /dev/null || echo '') -GO_VULNCHECK_URI=golang.org/x/vuln/cmd/govulncheck@latest - -.PHONY: golangci-lint -golangci-lint: - $(if $(GO_LINT), ,go install $(GO_LINT_URI)) - @echo "##### Running golangci-lint" - golangci-lint run -v - -.PHONY: gosec -gosec: - $(if $(GO_SEC), ,go install $(GO_SEC_URI)) - @echo "##### Running gosec" - gosec ./... - -.PHONY: govulncheck -govulncheck: - $(if $(GO_VULNCHECK), ,go install $(GO_VULNCHECK_URI)) - @echo "##### Running govulncheck" - govulncheck ./... - -.PHONY: verify -verify: golangci-lint gosec govulncheck - -.PHONY: test -test: - @echo "##### Running tests" - go test -race -cover -coverprofile=coverage.coverprofile -covermode=atomic -v ./... - -.PHONY: fuzz -fuzz: - @echo "##### Running fuzz tests" - go test -v -fuzz FuzzEncodeDecode -fuzztime 60s diff --git a/vendor/github.com/gorilla/securecookie/README.md b/vendor/github.com/gorilla/securecookie/README.md index c3b9815d..aa7bd1a5 100644 --- a/vendor/github.com/gorilla/securecookie/README.md +++ b/vendor/github.com/gorilla/securecookie/README.md @@ -1,13 +1,10 @@ -# gorilla/securecookie +securecookie +============ +[![GoDoc](https://godoc.org/github.com/gorilla/securecookie?status.svg)](https://godoc.org/github.com/gorilla/securecookie) [![Build Status](https://travis-ci.org/gorilla/securecookie.png?branch=master)](https://travis-ci.org/gorilla/securecookie) +[![Sourcegraph](https://sourcegraph.com/github.com/gorilla/securecookie/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/securecookie?badge) -![testing](https://github.com/gorilla/securecookie/actions/workflows/test.yml/badge.svg) -[![codecov](https://codecov.io/github/gorilla/securecookie/branch/main/graph/badge.svg)](https://codecov.io/github/gorilla/securecookie) -[![godoc](https://godoc.org/github.com/gorilla/securecookie?status.svg)](https://godoc.org/github.com/gorilla/securecookie) -[![sourcegraph](https://sourcegraph.com/github.com/gorilla/securecookie/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/securecookie?badge) -![Gorilla Logo](https://github.com/gorilla/.github/assets/53367916/d92caabf-98e0-473e-bfbf-ab554ba435e5) - -securecookie encodes and decodes authenticated and optionally encrypted +securecookie encodes and decodes authenticated and optionally encrypted cookie values. Secure cookies can't be forged, because their values are validated using HMAC. @@ -36,10 +33,7 @@ to not use encryption. If set, the length must correspond to the block size of the encryption algorithm. For AES, used by default, valid lengths are 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256. -Strong keys can be created using the convenience function -`GenerateRandomKey()`. Note that keys created using `GenerateRandomKey()` are not -automatically persisted. New keys will be created when the application is -restarted, and previously issued cookies will not be able to be decoded. +Strong keys can be created using the convenience function GenerateRandomKey(). Once a SecureCookie instance is set, use it to encode a cookie value: @@ -81,64 +75,6 @@ registered first using gob.Register(). For basic types this is not needed; it works out of the box. An optional JSON encoder that uses `encoding/json` is available for types compatible with JSON. -### Key Rotation -Rotating keys is an important part of any security strategy. The `EncodeMulti` and -`DecodeMulti` functions allow for multiple keys to be rotated in and out. -For example, let's take a system that stores keys in a map: - -```go -// keys stored in a map will not be persisted between restarts -// a more persistent storage should be considered for production applications. -var cookies = map[string]*securecookie.SecureCookie{ - "previous": securecookie.New( - securecookie.GenerateRandomKey(64), - securecookie.GenerateRandomKey(32), - ), - "current": securecookie.New( - securecookie.GenerateRandomKey(64), - securecookie.GenerateRandomKey(32), - ), -} -``` - -Using the current key to encode new cookies: -```go -func SetCookieHandler(w http.ResponseWriter, r *http.Request) { - value := map[string]string{ - "foo": "bar", - } - if encoded, err := securecookie.EncodeMulti("cookie-name", value, cookies["current"]); err == nil { - cookie := &http.Cookie{ - Name: "cookie-name", - Value: encoded, - Path: "/", - } - http.SetCookie(w, cookie) - } -} -``` - -Later, decode cookies. Check against all valid keys: -```go -func ReadCookieHandler(w http.ResponseWriter, r *http.Request) { - if cookie, err := r.Cookie("cookie-name"); err == nil { - value := make(map[string]string) - err = securecookie.DecodeMulti("cookie-name", cookie.Value, &value, cookies["current"], cookies["previous"]) - if err == nil { - fmt.Fprintf(w, "The value of foo is %q", value["foo"]) - } - } -} -``` - -Rotate the keys. This strategy allows previously issued cookies to be valid until the next rotation: -```go -func Rotate(newCookie *securecookie.SecureCookie) { - cookies["previous"] = cookies["current"] - cookies["current"] = newCookie -} -``` - ## License BSD licensed. See the LICENSE file for details. diff --git a/vendor/github.com/gorilla/securecookie/fuzz.go b/vendor/github.com/gorilla/securecookie/fuzz.go new file mode 100644 index 00000000..e4d0534e --- /dev/null +++ b/vendor/github.com/gorilla/securecookie/fuzz.go @@ -0,0 +1,25 @@ +// +build gofuzz + +package securecookie + +var hashKey = []byte("very-secret12345") +var blockKey = []byte("a-lot-secret1234") +var s = New(hashKey, blockKey) + +type Cookie struct { + B bool + I int + S string +} + +func Fuzz(data []byte) int { + datas := string(data) + var c Cookie + if err := s.Decode("fuzz", datas, &c); err != nil { + return 0 + } + if _, err := s.Encode("fuzz", c); err != nil { + panic(err) + } + return 1 +} diff --git a/vendor/github.com/gorilla/securecookie/securecookie.go b/vendor/github.com/gorilla/securecookie/securecookie.go index 4d5ea860..cd4e0976 100644 --- a/vendor/github.com/gorilla/securecookie/securecookie.go +++ b/vendor/github.com/gorilla/securecookie/securecookie.go @@ -124,7 +124,7 @@ type Codec interface { // GenerateRandomKey(). It is recommended to use a key with 32 or 64 bytes. // // blockKey is optional, used to encrypt values. Create it using -// GenerateRandomKey(). The key length must correspond to the key size +// GenerateRandomKey(). The key length must correspond to the block size // of the encryption algorithm. For AES, used by default, valid lengths are // 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256. // The default encoder used for cookie serialization is encoding/gob. @@ -141,7 +141,7 @@ func New(hashKey, blockKey []byte) *SecureCookie { maxLength: 4096, sz: GobEncoder{}, } - if len(hashKey) == 0 { + if hashKey == nil { s.err = errHashKeyNotSet } if blockKey != nil { @@ -286,7 +286,7 @@ func (s *SecureCookie) Encode(name string, value interface{}) (string, error) { b = encode(b) // 5. Check length. if s.maxLength != 0 && len(b) > s.maxLength { - return "", fmt.Errorf("%s: %d", errEncodedValueTooLong, len(b)) + return "", errEncodedValueTooLong } // Done. return string(b), nil @@ -310,7 +310,7 @@ func (s *SecureCookie) Decode(name, value string, dst interface{}) error { } // 1. Check length. if s.maxLength != 0 && len(value) > s.maxLength { - return fmt.Errorf("%s: %d", errValueToDecodeTooLong, len(value)) + return errValueToDecodeTooLong } // 2. Decode from base64. b, err := decode([]byte(value)) @@ -391,7 +391,7 @@ func verifyMac(h hash.Hash, value []byte, mac []byte) error { // encrypt encrypts a value using the given block in counter mode. // -// A random initialization vector ( https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Initialization_vector_(IV) ) with the length of the +// A random initialization vector (http://goo.gl/zF67k) with the length of the // block size is prepended to the resulting ciphertext. func encrypt(block cipher.Block, value []byte) ([]byte, error) { iv := GenerateRandomKey(block.BlockSize()) @@ -408,7 +408,7 @@ func encrypt(block cipher.Block, value []byte) ([]byte, error) { // decrypt decrypts a value using the given block in counter mode. // // The value to be decrypted must be prepended by a initialization vector -// ( https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Initialization_vector_(IV) ) with the length of the block size. +// (http://goo.gl/zF67k) with the length of the block size. func decrypt(block cipher.Block, value []byte) ([]byte, error) { size := block.BlockSize() if len(value) > size { @@ -506,10 +506,6 @@ func decode(value []byte) ([]byte, error) { // GenerateRandomKey creates a random key with the given length in bytes. // On failure, returns nil. // -// Note that keys created using `GenerateRandomKey()` are not automatically -// persisted. New keys will be created when the application is restarted, and -// previously issued cookies will not be able to be decoded. -// // Callers should explicitly check for the possibility of a nil return, treat // it as a failure of the system random number generator, and not continue. func GenerateRandomKey(length int) []byte { @@ -529,21 +525,22 @@ func GenerateRandomKey(length int) []byte { // // Example: // -// codecs := securecookie.CodecsFromPairs( -// []byte("new-hash-key"), -// []byte("new-block-key"), -// []byte("old-hash-key"), -// []byte("old-block-key"), -// ) +// codecs := securecookie.CodecsFromPairs( +// []byte("new-hash-key"), +// []byte("new-block-key"), +// []byte("old-hash-key"), +// []byte("old-block-key"), +// ) +// +// // Modify each instance. +// for _, s := range codecs { +// if cookie, ok := s.(*securecookie.SecureCookie); ok { +// cookie.MaxAge(86400 * 7) +// cookie.SetSerializer(securecookie.JSONEncoder{}) +// cookie.HashFunc(sha512.New512_256) +// } +// } // -// // Modify each instance. -// for _, s := range codecs { -// if cookie, ok := s.(*securecookie.SecureCookie); ok { -// cookie.MaxAge(86400 * 7) -// cookie.SetSerializer(securecookie.JSONEncoder{}) -// cookie.HashFunc(sha512.New512_256) -// } -// } func CodecsFromPairs(keyPairs ...[]byte) []Codec { codecs := make([]Codec, len(keyPairs)/2+len(keyPairs)%2) for i := 0; i < len(keyPairs); i += 2 { diff --git a/vendor/github.com/gorilla/sessions/.editorconfig b/vendor/github.com/gorilla/sessions/.editorconfig deleted file mode 100644 index 2940ec92..00000000 --- a/vendor/github.com/gorilla/sessions/.editorconfig +++ /dev/null @@ -1,20 +0,0 @@ -; https://editorconfig.org/ - -root = true - -[*] -insert_final_newline = true -charset = utf-8 -trim_trailing_whitespace = true -indent_style = space -indent_size = 2 - -[{Makefile,go.mod,go.sum,*.go,.gitmodules}] -indent_style = tab -indent_size = 4 - -[*.md] -indent_size = 4 -trim_trailing_whitespace = false - -eclint_indent_style = unset diff --git a/vendor/github.com/gorilla/sessions/.gitignore b/vendor/github.com/gorilla/sessions/.gitignore deleted file mode 100644 index 84039fec..00000000 --- a/vendor/github.com/gorilla/sessions/.gitignore +++ /dev/null @@ -1 +0,0 @@ -coverage.coverprofile diff --git a/vendor/github.com/gorilla/sessions/AUTHORS b/vendor/github.com/gorilla/sessions/AUTHORS new file mode 100644 index 00000000..1e3e7acb --- /dev/null +++ b/vendor/github.com/gorilla/sessions/AUTHORS @@ -0,0 +1,43 @@ +# This is the official list of gorilla/sessions authors for copyright purposes. +# +# Please keep the list sorted. + +Ahmadreza Zibaei +Anton Lindström +Brian Jones +Collin Stedman +Deniz Eren +Dmitry Chestnykh +Dustin Oprea +Egon Elbre +enumappstore +Geofrey Ernest +Google LLC (https://opensource.google.com/) +Jerry Saravia +Jonathan Gillham +Justin Clift +Justin Hellings +Kamil Kisiel +Keiji Yoshida +kliron +Kshitij Saraogi +Lauris BH +Lukas Rist +Mark Dain +Matt Ho +Matt Silverlock +Mattias Wadman +Michael Schuett +Michael Stapelberg +Mirco Zeiss +moraes +nvcnvn +pappz +Pontus Leitzler +QuaSoft +rcadena +rodrigo moraes +Shawn Smith +Taylor Hurt +Tortuoise +Vitor De Mario diff --git a/vendor/github.com/gorilla/sessions/LICENSE b/vendor/github.com/gorilla/sessions/LICENSE index 7fa90090..6903df63 100644 --- a/vendor/github.com/gorilla/sessions/LICENSE +++ b/vendor/github.com/gorilla/sessions/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2024 The Gorilla Authors. All rights reserved. +Copyright (c) 2012-2018 The Gorilla Authors. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are diff --git a/vendor/github.com/gorilla/sessions/Makefile b/vendor/github.com/gorilla/sessions/Makefile deleted file mode 100644 index ac37ffd3..00000000 --- a/vendor/github.com/gorilla/sessions/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -GO_LINT=$(shell which golangci-lint 2> /dev/null || echo '') -GO_LINT_URI=github.com/golangci/golangci-lint/cmd/golangci-lint@latest - -GO_SEC=$(shell which gosec 2> /dev/null || echo '') -GO_SEC_URI=github.com/securego/gosec/v2/cmd/gosec@latest - -GO_VULNCHECK=$(shell which govulncheck 2> /dev/null || echo '') -GO_VULNCHECK_URI=golang.org/x/vuln/cmd/govulncheck@latest - -.PHONY: golangci-lint -golangci-lint: - $(if $(GO_LINT), ,go install $(GO_LINT_URI)) - @echo "##### Running golangci-lint" - golangci-lint run -v - -.PHONY: gosec -gosec: - $(if $(GO_SEC), ,go install $(GO_SEC_URI)) - @echo "##### Running gosec" - gosec ./... - -.PHONY: govulncheck -govulncheck: - $(if $(GO_VULNCHECK), ,go install $(GO_VULNCHECK_URI)) - @echo "##### Running govulncheck" - govulncheck ./... - -.PHONY: verify -verify: golangci-lint gosec govulncheck - -.PHONY: test -test: - @echo "##### Running tests" - go test -race -cover -coverprofile=coverage.coverprofile -covermode=atomic -v ./... diff --git a/vendor/github.com/gorilla/sessions/README.md b/vendor/github.com/gorilla/sessions/README.md index d2cbea63..a8fb98bc 100644 --- a/vendor/github.com/gorilla/sessions/README.md +++ b/vendor/github.com/gorilla/sessions/README.md @@ -1,14 +1,7 @@ -# Gorilla Sessions +# sessions -> [!IMPORTANT] -> The latest version of this repository requires go 1.23 because of the new partitioned attribute. The last version that is compatible with older versions of go is v1.3.0. - -![testing](https://github.com/gorilla/sessions/actions/workflows/test.yml/badge.svg) -[![codecov](https://codecov.io/github/gorilla/sessions/branch/main/graph/badge.svg)](https://codecov.io/github/gorilla/sessions) -[![godoc](https://godoc.org/github.com/gorilla/sessions?status.svg)](https://godoc.org/github.com/gorilla/sessions) -[![sourcegraph](https://sourcegraph.com/github.com/gorilla/sessions/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/sessions?badge) - -![Gorilla Logo](https://github.com/gorilla/.github/assets/53367916/d92caabf-98e0-473e-bfbf-ab554ba435e5) +[![GoDoc](https://godoc.org/github.com/gorilla/sessions?status.svg)](https://godoc.org/github.com/gorilla/sessions) [![Build Status](https://travis-ci.org/gorilla/sessions.svg?branch=master)](https://travis-ci.org/gorilla/sessions) +[![Sourcegraph](https://sourcegraph.com/github.com/gorilla/sessions/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/sessions?badge) gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends. @@ -62,7 +55,8 @@ secret key used to authenticate the session. Inside the handler, we call some session values in session.Values, which is a `map[interface{}]interface{}`. And finally we call `session.Save()` to save the session in the response. -More examples are available at [package documentation](https://pkg.go.dev/github.com/gorilla/sessions). +More examples are available [on the Gorilla +website](https://www.gorillatoolkit.org/pkg/sessions). ## Store Implementations @@ -77,7 +71,6 @@ Other implementations of the `sessions.Store` interface: - [github.com/dsoprea/go-appengine-sessioncascade](https://github.com/dsoprea/go-appengine-sessioncascade) - Memcache/Datastore/Context in AppEngine - [github.com/kidstuff/mongostore](https://github.com/kidstuff/mongostore) - MongoDB - [github.com/srinathgs/mysqlstore](https://github.com/srinathgs/mysqlstore) - MySQL -- [github.com/danielepintore/gorilla-sessions-mysql](https://github.com/danielepintore/gorilla-sessions-mysql) - MySQL - [github.com/EnumApps/clustersqlstore](https://github.com/EnumApps/clustersqlstore) - MySQL Cluster - [github.com/antonlindstrom/pgstore](https://github.com/antonlindstrom/pgstore) - PostgreSQL - [github.com/boj/redistore](https://github.com/boj/redistore) - Redis @@ -91,7 +84,6 @@ Other implementations of the `sessions.Store` interface: - [github.com/lafriks/xormstore](https://github.com/lafriks/xormstore) - XORM (MySQL, PostgreSQL, SQLite, Microsoft SQL Server, TiDB) - [github.com/GoogleCloudPlatform/firestore-gorilla-sessions](https://github.com/GoogleCloudPlatform/firestore-gorilla-sessions) - Cloud Firestore - [github.com/stephenafamo/crdbstore](https://github.com/stephenafamo/crdbstore) - CockroachDB -- [github.com/ryicoh/tikvstore](github.com/ryicoh/tikvstore) - TiKV ## License diff --git a/vendor/github.com/gorilla/sessions/cookie.go b/vendor/github.com/gorilla/sessions/cookie.go index fd6f48ca..1928b047 100644 --- a/vendor/github.com/gorilla/sessions/cookie.go +++ b/vendor/github.com/gorilla/sessions/cookie.go @@ -1,6 +1,4 @@ -// Copyright 2012 The Gorilla Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. +// +build !go1.11 package sessions @@ -9,15 +7,13 @@ import "net/http" // newCookieFromOptions returns an http.Cookie with the options set. func newCookieFromOptions(name, value string, options *Options) *http.Cookie { return &http.Cookie{ - Name: name, - Value: value, - Path: options.Path, - Domain: options.Domain, - MaxAge: options.MaxAge, - Secure: options.Secure, - HttpOnly: options.HttpOnly, - Partitioned: options.Partitioned, - SameSite: options.SameSite, + Name: name, + Value: value, + Path: options.Path, + Domain: options.Domain, + MaxAge: options.MaxAge, + Secure: options.Secure, + HttpOnly: options.HttpOnly, } } diff --git a/vendor/github.com/gorilla/sessions/cookie_go111.go b/vendor/github.com/gorilla/sessions/cookie_go111.go new file mode 100644 index 00000000..173d1a3e --- /dev/null +++ b/vendor/github.com/gorilla/sessions/cookie_go111.go @@ -0,0 +1,20 @@ +// +build go1.11 + +package sessions + +import "net/http" + +// newCookieFromOptions returns an http.Cookie with the options set. +func newCookieFromOptions(name, value string, options *Options) *http.Cookie { + return &http.Cookie{ + Name: name, + Value: value, + Path: options.Path, + Domain: options.Domain, + MaxAge: options.MaxAge, + Secure: options.Secure, + HttpOnly: options.HttpOnly, + SameSite: options.SameSite, + } + +} diff --git a/vendor/github.com/gorilla/sessions/options.go b/vendor/github.com/gorilla/sessions/options.go index 6ed79349..38ba72fb 100644 --- a/vendor/github.com/gorilla/sessions/options.go +++ b/vendor/github.com/gorilla/sessions/options.go @@ -1,11 +1,7 @@ -// Copyright 2012 The Gorilla Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. +// +build !go1.11 package sessions -import "net/http" - // Options stores configuration for a session or session store. // // Fields are a subset of http.Cookie fields. @@ -16,9 +12,7 @@ type Options struct { // deleted after the browser session ends. // MaxAge<0 means delete cookie immediately. // MaxAge>0 means Max-Age attribute present and given in seconds. - MaxAge int - Secure bool - HttpOnly bool - Partitioned bool - SameSite http.SameSite + MaxAge int + Secure bool + HttpOnly bool } diff --git a/vendor/github.com/gorilla/sessions/options_go111.go b/vendor/github.com/gorilla/sessions/options_go111.go new file mode 100644 index 00000000..388112aa --- /dev/null +++ b/vendor/github.com/gorilla/sessions/options_go111.go @@ -0,0 +1,22 @@ +// +build go1.11 + +package sessions + +import "net/http" + +// Options stores configuration for a session or session store. +// +// Fields are a subset of http.Cookie fields. +type Options struct { + Path string + Domain string + // MaxAge=0 means no Max-Age attribute specified and the cookie will be + // deleted after the browser session ends. + // MaxAge<0 means delete cookie immediately. + // MaxAge>0 means Max-Age attribute present and given in seconds. + MaxAge int + Secure bool + HttpOnly bool + // Defaults to http.SameSiteDefaultMode + SameSite http.SameSite +} diff --git a/vendor/github.com/gorilla/sessions/store.go b/vendor/github.com/gorilla/sessions/store.go index 24db822b..bb7f9647 100644 --- a/vendor/github.com/gorilla/sessions/store.go +++ b/vendor/github.com/gorilla/sessions/store.go @@ -6,19 +6,16 @@ package sessions import ( "encoding/base32" + "io/ioutil" "net/http" "os" "path/filepath" + "strings" "sync" "github.com/gorilla/securecookie" ) -const ( - // File name prefix for session files. - sessionFilePrefix = "session_" -) - // Store is an interface for custom session stores. // // See CookieStore and FilesystemStore for examples. @@ -54,10 +51,8 @@ func NewCookieStore(keyPairs ...[]byte) *CookieStore { cs := &CookieStore{ Codecs: securecookie.CodecsFromPairs(keyPairs...), Options: &Options{ - Path: "/", - MaxAge: 86400 * 30, - SameSite: http.SameSiteNoneMode, - Secure: true, + Path: "/", + MaxAge: 86400 * 30, }, } @@ -206,8 +201,6 @@ func (s *FilesystemStore) New(r *http.Request, name string) (*Session, error) { return session, err } -var base32RawStdEncoding = base32.StdEncoding.WithPadding(base32.NoPadding) - // Save adds a single session to the response. // // If the Options.MaxAge of the session is <= 0 then the session file will be @@ -218,7 +211,7 @@ func (s *FilesystemStore) Save(r *http.Request, w http.ResponseWriter, session *Session) error { // Delete if max-age is <= 0 if session.Options.MaxAge <= 0 { - if err := s.erase(session); err != nil && !os.IsNotExist(err) { + if err := s.erase(session); err != nil { return err } http.SetCookie(w, NewCookie(session.Name(), "", session.Options)) @@ -228,8 +221,9 @@ func (s *FilesystemStore) Save(r *http.Request, w http.ResponseWriter, if session.ID == "" { // Because the ID is used in the filename, encode it to // use alphanumeric characters only. - session.ID = base32RawStdEncoding.EncodeToString( - securecookie.GenerateRandomKey(32)) + session.ID = strings.TrimRight( + base32.StdEncoding.EncodeToString( + securecookie.GenerateRandomKey(32)), "=") } if err := s.save(session); err != nil { return err @@ -264,18 +258,18 @@ func (s *FilesystemStore) save(session *Session) error { if err != nil { return err } - filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID)) + filename := filepath.Join(s.path, "session_"+session.ID) fileMutex.Lock() defer fileMutex.Unlock() - return os.WriteFile(filename, []byte(encoded), 0600) + return ioutil.WriteFile(filename, []byte(encoded), 0600) } // load reads a file and decodes its content into session.Values. func (s *FilesystemStore) load(session *Session) error { - filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID)) + filename := filepath.Join(s.path, "session_"+session.ID) fileMutex.RLock() defer fileMutex.RUnlock() - fdata, err := os.ReadFile(filepath.Clean(filename)) + fdata, err := ioutil.ReadFile(filename) if err != nil { return err } @@ -288,7 +282,7 @@ func (s *FilesystemStore) load(session *Session) error { // delete session file func (s *FilesystemStore) erase(session *Session) error { - filename := filepath.Join(s.path, sessionFilePrefix+filepath.Base(session.ID)) + filename := filepath.Join(s.path, "session_"+session.ID) fileMutex.RLock() defer fileMutex.RUnlock() diff --git a/vendor/modules.txt b/vendor/modules.txt index f67a357d..983929ab 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -156,8 +156,8 @@ github.com/gabriel-vasile/mimetype/internal/magic # github.com/gin-contrib/cors v1.7.2 ## explicit; go 1.18 github.com/gin-contrib/cors -# github.com/gin-contrib/sessions v1.0.1 -## explicit; go 1.19 +# github.com/gin-contrib/sessions v0.0.5 +## explicit; go 1.18 github.com/gin-contrib/sessions github.com/gin-contrib/sessions/cookie # github.com/gin-contrib/sse v0.1.0 @@ -231,11 +231,11 @@ github.com/google/uuid # github.com/gorilla/context v1.1.2 ## explicit; go 1.20 github.com/gorilla/context -# github.com/gorilla/securecookie v1.1.2 -## explicit; go 1.20 +# github.com/gorilla/securecookie v1.1.1 +## explicit github.com/gorilla/securecookie -# github.com/gorilla/sessions v1.4.0 -## explicit; go 1.23 +# github.com/gorilla/sessions v1.2.1 +## explicit github.com/gorilla/sessions # github.com/huandu/xstrings v1.5.0 ## explicit; go 1.12