Refactor legacy unknwon/com package, improve golangci lint (#19284)

The main purpose is to refactor the legacy `unknwon/com` package. 1. Remove most imports of `unknwon/com`, only `util/legacy.go` imports the legacy `unknwon/com` 2. Use golangci's depguard to process denied packages 3. Fix some incorrect values in golangci.yml, eg, the version should be quoted string `"1.18"` 4. Use correctly escaped content for `go-import` and `go-source` meta tags 5. Refactor `com.Expand` to our stable (and the same fast) `vars.Expand`, our `vars.Expand` can still return partially rendered content even if the template is not good (eg: key mistach).
2022-04-01 16:47:50 +08:00 · 2022-04-01 16:47:50 +08:00 · 65f17bfc31
commit 65f17bfc31
parent 5b7466053d
22 changed files with 397 additions and 81 deletions
--- a/modules/context/context.go
+++ b/modules/context/context.go
@ -31,13 +31,13 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 	"code.gitea.io/gitea/modules/templates"
 	"code.gitea.io/gitea/modules/translation"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
 	"code.gitea.io/gitea/services/auth"

 	"gitea.com/go-chi/cache"
 	"gitea.com/go-chi/session"
 	chi "github.com/go-chi/chi/v5"
-	"github.com/unknwon/com"
 	"github.com/unrolled/render"
 	"golang.org/x/crypto/pbkdf2"
 )
@ -475,7 +475,7 @@ func (ctx *Context) CookieDecrypt(secret, val string) (string, bool) {
 	}

 	key := pbkdf2.Key([]byte(secret), []byte(secret), 1000, 16, sha256.New)
-	text, err = com.AESGCMDecrypt(key, text)
+	text, err = util.AESGCMDecrypt(key, text)
 	return string(text), err == nil
 }

@ -489,7 +489,7 @@ func (ctx *Context) SetSuperSecureCookie(secret, name, value string, expiry int)
 // CookieEncrypt encrypts a given value using the provided secret
 func (ctx *Context) CookieEncrypt(secret, value string) string {
 	key := pbkdf2.Key([]byte(secret), []byte(secret), 1000, 16, sha256.New)
-	text, err := com.AESGCMEncrypt(key, []byte(value))
+	text, err := util.AESGCMEncrypt(key, []byte(value))
 	if err != nil {
 		panic("error encrypting cookie: " + err.Error())
 	}
--- a/modules/context/csrf.go
+++ b/modules/context/csrf.go
@ -19,13 +19,14 @@
 package context

 import (
+	"encoding/base32"
+	"fmt"
 	"net/http"
 	"time"

 	"code.gitea.io/gitea/modules/setting"
+	"code.gitea.io/gitea/modules/util"
 	"code.gitea.io/gitea/modules/web/middleware"
-
-	"github.com/unknwon/com"
 )

 // CSRF represents a CSRF service and is used to get the current token and validate a suspect token.
@ -162,7 +163,12 @@ func prepareOptions(options []CsrfOptions) CsrfOptions {

 	// Defaults.
 	if len(opt.Secret) == 0 {
-		opt.Secret = string(com.RandomCreateBytes(10))
+		randBytes, err := util.CryptoRandomBytes(8)
+		if err != nil {
+			// this panic can be handled by the recover() in http handlers
+			panic(fmt.Errorf("failed to generate random bytes: %w", err))
+		}
+		opt.Secret = base32.StdEncoding.EncodeToString(randBytes)
 	}
 	if len(opt.Header) == 0 {
 		opt.Header = "X-CSRFToken"
@ -211,7 +217,7 @@ func Csrfer(opt CsrfOptions, ctx *Context) CSRF {
 	x.ID = "0"
 	uid := ctx.Session.Get(opt.SessionKey)
 	if uid != nil {
-		x.ID = com.ToStr(uid)
+		x.ID = util.ToStr(uid)
 	}

 	needsNew := false
--- a/modules/context/repo.go
+++ b/modules/context/repo.go
@ -8,6 +8,7 @@ package context
 import (
 	"context"
 	"fmt"
+	"html"
 	"io"
 	"net/http"
 	"net/url"
@ -29,7 +30,6 @@ import (
 	asymkey_service "code.gitea.io/gitea/services/asymkey"

 	"github.com/editorconfig/editorconfig-core-go/v2"
-	"github.com/unknwon/com"
 )

 // IssueTemplateDirCandidates issue templates directory
@ -308,11 +308,9 @@ func EarlyResponseForGoGetMeta(ctx *Context) {
 		ctx.PlainText(http.StatusBadRequest, "invalid repository path")
 		return
 	}
-	ctx.PlainText(http.StatusOK, com.Expand(`<meta name="go-import" content="{GoGetImport} git {CloneLink}">`,
-		map[string]string{
-			"GoGetImport": ComposeGoGetImport(username, reponame),
-			"CloneLink":   repo_model.ComposeHTTPSCloneURL(username, reponame),
-		}))
+	goImportContent := fmt.Sprintf("%s git %s", ComposeGoGetImport(username, reponame), repo_model.ComposeHTTPSCloneURL(username, reponame))
+	htmlMeta := fmt.Sprintf(`<meta name="go-import" content="%s">`, html.EscapeString(goImportContent))
+	ctx.PlainText(http.StatusOK, htmlMeta)
 }

 // RedirectToRepo redirect to a differently-named repository