Fix semgrep dgryski.semgrep-go issues #3511
Conversation
| @@ -387,6 +387,7 @@ func sendAmpResponse( | |||
| // Fixes #231 | |||
| enc := json.NewEncoder(w) | |||
| enc.SetEscapeHTML(false) | |||
| w.Header().Set("Content-Type", "text/plain; charset=utf-8") | |||
There was a problem hiding this comment.
Why is it necessary to add this header set?
There was a problem hiding this comment.
it is done anyway automatically - added it explicitly to make clear that the text encoding is intended (I assume due to the AMP requirements) despite the JSON Encoder used . Would you prefer to remove it? @SyntaxNode
There was a problem hiding this comment.
@SyntaxNode and I discussed offline. You're correct in that text/plain is what PBS-Go returns. We're not sure why that is as it predates us and I can't find any documentation on the subject. I did notice that application/json is returned by PBS-Java in the 200 success case, which is probably what the content type should be. However, I suggest we keep the behavior as text/plain since it has been this way for years without complaint and keep this line of code but add a comment above it that is something like:
"Explicitly set content type to text/plain, which had previously been the implied behavior from the time the project was launched. It's unclear why text/plain was chosen or if it was an oversight, nevertheless we will keep it as such for compatibility reasons"
bsardo
changed the title
dmitris
force-pushed
the
semgrep-go-fix
branch
from
e946897
to
5a35f0b
Compare
dmitris
force-pushed
the
semgrep-go-fix
branch
from
5a35f0b
to
98d5107
Compare
There was a problem hiding this comment.
Changes in usersync/encoder.go and config/usersync.go do not seem to be listed in the prebid-semgrep-dgryski.txt. What's the reason behind the EncoderSigner interface? Why do we need HMACSignature config field?
Fix most of the semgrep issues with the http://semgrep.dev/r/dgryski.semgrep-go ruleset (`semgrep --config http://semgrep.dev/r/dgryski.semgrep-go`). Left the issue with Content-Type text/plain on json.Encode in endpoints/openrtb2/amp_auction.go since changing to application/json breaks the AMP unit tests, and issues with the pointer receiver for MarshalJSON in usersync/cookie.go. Fix prebid#3509. Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
Signed-off-by: Dmitry S <[email protected]>
@guscarreon I'm sorry - confused my branches and inadvertently added unrelated changes 🤦, thanks for catching! Removed it now and rebased, the usersync files are unchanged. The only remaining dgryski issue is on this line - https://github.com/prebid/prebid-server/blob/master/usersync/cookie.go#L228: |
There was a problem hiding this comment.
I'm sorry
Don't be sorry @dmitris. Thank you for fixing this. Left a minor nitpick below
| @@ -398,8 +398,13 @@ func sendAmpResponse( | |||
| ao.AmpTargetingValues = targets | |||
|
|
|||
| // Fixes #231 | |||
| enc := json.NewEncoder(w) | |||
| enc := json.NewEncoder(w) // nosemgrep: json-encoder-needs-type | |||
There was a problem hiding this comment.
Why are we ignoring this entry?
There was a problem hiding this comment.
without the nosemgrep ignore, semgrep run produces the following finding:
endpoints/openrtb2/amp_auction.go
❯❯❱ Users.dmitris.gh.dgryski.semgrep-go.json-encoder-needs-type
calling json.Encode() on an http.ResponseWriter will set Content-
Type text/plain
401┆ enc := json.NewEncoder(w)
402┆ enc.SetEscapeHTML(false)
403┆ // Explicitly set content type to text/plain, which had
previously been
404┆ // the implied behavior from the time the project was
launched.
405┆ // It's unclear why text/plain was chosen or if it was an
oversight,
406┆ // nevertheless we will keep it as such for compatibility
reasons.
407┆ w.Header().Set("Content-Type", "text/plain;
charset=utf-8")
408┆actually there is another similar one in usersync/cookie.go:
usersync/cookie.go
❯❯❱ Users.dmitris.gh.dgryski.semgrep-go.marshal-json-pointer-receiver
MarshalJSON with a pointer receiver has surprising results:
https://github.com/golang/go/issues/22967
228┆ func (cookie *Cookie) MarshalJSON() ([]byte, error) {Do we want or can we change the pointer receiver to by-value Cookie? This is part of the public (exported) interface of the package. I think for this PR we should either add the // nosemgrep skip to both cases, or remove the nosemgrep and leave it with the flagged findings. I've done the former for now - 9cc55f4 adding another nosemgrep to get a clean semgrep run (and for the new issues to "stick out" if they appear), but if you prefer, I can remove both // nosemgrep comments.
There was a problem hiding this comment.
Interesting. I'm ok with leaving the nosemgrep comments for now.
Fix most of the semgrep issues with the
http://semgrep.dev/r/dgryski.semgrep-go ruleset
(
semgrep --config http://semgrep.dev/r/dgryski.semgrep-go). Left the issue with Content-Type text/plain on json.Encode in endpoints/openrtb2/amp_auction.go since changing to application/json breaks the AMP unit tests, and issues with the pointer receiver for MarshalJSON in usersync/cookie.go.Fix #3509.