-
Notifications
You must be signed in to change notification settings - Fork 721
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix semgrep dgryski.semgrep-go issues #3511
Changes from all commits
de9a3b8
12ed1a0
92602d0
9cc55f4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -171,7 +171,7 @@ func (deps *endpointDeps) AmpAuction(w http.ResponseWriter, r *http.Request, _ h | |
if errortypes.ContainsFatalError(errL) { | ||
w.WriteHeader(http.StatusBadRequest) | ||
for _, err := range errortypes.FatalOnly(errL) { | ||
w.Write([]byte(fmt.Sprintf("Invalid request: %s\n", err.Error()))) | ||
fmt.Fprintf(w, "Invalid request: %s\n", err.Error()) | ||
} | ||
labels.RequestStatus = metrics.RequestStatusBadInput | ||
return | ||
|
@@ -224,7 +224,7 @@ func (deps *endpointDeps) AmpAuction(w http.ResponseWriter, r *http.Request, _ h | |
w.WriteHeader(httpStatus) | ||
labels.RequestStatus = metricsStatus | ||
for _, err := range errortypes.FatalOnly(errL) { | ||
w.Write([]byte(fmt.Sprintf("Invalid request: %s\n", err.Error()))) | ||
fmt.Fprintf(w, "Invalid request: %s\n", err.Error()) | ||
} | ||
ao.Errors = append(ao.Errors, acctIDErrs...) | ||
return | ||
|
@@ -237,7 +237,7 @@ func (deps *endpointDeps) AmpAuction(w http.ResponseWriter, r *http.Request, _ h | |
if errortypes.ContainsFatalError(errs) { | ||
w.WriteHeader(http.StatusBadRequest) | ||
for _, err := range errortypes.FatalOnly(errs) { | ||
w.Write([]byte(fmt.Sprintf("Invalid request: %s\n", err.Error()))) | ||
fmt.Fprintf(w, "Invalid request: %s\n", err.Error()) | ||
} | ||
labels.RequestStatus = metrics.RequestStatusBadInput | ||
return | ||
|
@@ -398,8 +398,13 @@ func sendAmpResponse( | |
ao.AmpTargetingValues = targets | ||
|
||
// Fixes #231 | ||
enc := json.NewEncoder(w) | ||
enc := json.NewEncoder(w) // nosemgrep: json-encoder-needs-type | ||
enc.SetEscapeHTML(false) | ||
// Explicitly set content type to text/plain, which had previously been | ||
// the implied behavior from the time the project was launched. | ||
// It's unclear why text/plain was chosen or if it was an oversight, | ||
// nevertheless we will keep it as such for compatibility reasons. | ||
w.Header().Set("Content-Type", "text/plain; charset=utf-8") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why is it necessary to add this header set? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it is done anyway automatically - added it explicitly to make clear that the text encoding is intended (I assume due to the AMP requirements) despite the JSON Encoder used . Would you prefer to remove it? @SyntaxNode There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @SyntaxNode and I discussed offline. You're correct in that "Explicitly set content type to text/plain, which had previously been the implied behavior from the time the project was launched. It's unclear why text/plain was chosen or if it was an oversight, nevertheless we will keep it as such for compatibility reasons" |
||
|
||
// If an error happens when encoding the response, there isn't much we can do. | ||
// If we've sent _any_ bytes, then Go would have sent the 200 status code first. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we ignoring this entry?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
without the
nosemgrep
ignore, semgrep run produces the following finding:actually there is another similar one in
usersync/cookie.go
:Do we want or can we change the pointer receiver to by-value
Cookie
? This is part of the public (exported) interface of the package. I think for this PR we should either add the// nosemgrep
skip to both cases, or remove thenosemgrep
and leave it with the flagged findings. I've done the former for now - 9cc55f4 adding anothernosemgrep
to get a clean semgrep run (and for the new issues to "stick out" if they appear), but if you prefer, I can remove both// nosemgrep
comments.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting. I'm ok with leaving the
nosemgrep
comments for now.