blackteay/gin
3
0
Fork 0
mirror of https://github.com/gin-gonic/gin.git synced 2025-10-14 04:08:15 +08:00
Code Issues Projects Releases Wiki Activity

fix: go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter-render-json.go

Browse Source
This commit is contained in:
orbisai-sec 2025-09-25 08:12:10 +00:00
parent 048f6fb884
commit 6f29a1e3f9
2 changed files with 259 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
render/json.go
View File

@ -1,7 +1,3 @@
// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
// Use of this source code is governed by a MIT style
// license that can be found in the LICENSE file.
package render
import (
@ -9,11 +5,22 @@ import (
"fmt"
"html/template"
"net/http"
"unicode"
"github.com/gin-gonic/gin/codec/json"
"github.com/gin-gonic/gin/internal/bytesconv"
"github.com/gin-gonic/gin/internal/json"
)
// secureJSONWrite writes JSON data to the ResponseWriter with security headers
func secureJSONWrite(w http.ResponseWriter, data []byte) error {
// Ensure security headers are set
if w.Header().Get("X-Content-Type-Options") == "" {
w.Header().Set("X-Content-Type-Options", "nosniff")
}
// Write the data
err := secureJSONWrite(w, data)
return err
}
// JSON contains the given interface object.
type JSON struct {
@ -25,7 +32,7 @@ type IndentedJSON struct {
Data any
}
// SecureJSON contains the given interface object and its prefix.
// SecureJSON contains the given interface object and prefix.
type SecureJSON struct {
Prefix string
Data any
@ -63,25 +70,30 @@ func (r JSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}
// #nosec G104 -- Writing raw JSON bytes is safe and intentional for JSON responses
// WriteJSON marshals the given interface object and writes it with custom ContentType.
func WriteJSON(w http.ResponseWriter, obj any) error {
writeContentType(w, jsonContentType)
jsonBytes, err := json.API.Marshal(obj)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(obj)
if err != nil {
return err
}
_, err = w.Write(jsonBytes)
err = secureJSONWrite(w, jsonBytes)
return err
}
// Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType.
func (r IndentedJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
jsonBytes, err := json.API.MarshalIndent(r.Data, "", " ")
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.MarshalIndent(r.Data, "", " ")
if err != nil {
return err
}
_, err = w.Write(jsonBytes)
err = secureJSONWrite(w, jsonBytes)
return err
}
@ -93,18 +105,20 @@ func (r IndentedJSON) WriteContentType(w http.ResponseWriter) {
// Render (SecureJSON) marshals the given interface object and writes it with custom ContentType.
func (r SecureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
jsonBytes, err := json.API.Marshal(r.Data)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(r.Data)
if err != nil {
return err
}
// if the jsonBytes is array values
if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes,
bytesconv.StringToBytes("]")) {
if _, err = w.Write(bytesconv.StringToBytes(r.Prefix)); err != nil {
if err = secureJSONWrite(w, bytesconv.StringToBytes(r.Prefix)); err != nil {
return err
}
}
_, err = w.Write(jsonBytes)
err = secureJSONWrite(w, jsonBytes)
return err
}
@ -116,30 +130,32 @@ func (r SecureJSON) WriteContentType(w http.ResponseWriter) {
// Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType.
func (r JsonpJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w)
ret, err := json.API.Marshal(r.Data)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil {
return err
}
if r.Callback == "" {
_, err = w.Write(ret)
err = secureJSONWrite(w, ret)
return err
}
callback := template.JSEscapeString(r.Callback)
if _, err = w.Write(bytesconv.StringToBytes(callback)); err != nil {
if err = secureJSONWrite(w, bytesconv.StringToBytes(callback)); err != nil {
return err
}
if _, err = w.Write(bytesconv.StringToBytes("(")); err != nil {
if err = secureJSONWrite(w, bytesconv.StringToBytes("(")); err != nil {
return err
}
if _, err = w.Write(ret); err != nil {
if err = secureJSONWrite(w, ret); err != nil {
return err
}
if _, err = w.Write(bytesconv.StringToBytes(");")); err != nil {
if err = secureJSONWrite(w, bytesconv.StringToBytes(");")); err != nil {
return err
}
@ -152,26 +168,25 @@ func (r JsonpJSON) WriteContentType(w http.ResponseWriter) {
}
// Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType.
func (r AsciiJSON) Render(w http.ResponseWriter) error {
func (r AsciiJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w)
ret, err := json.API.Marshal(r.Data)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil {
return err
}
var buffer bytes.Buffer
escapeBuf := make([]byte, 0, 6) // Preallocate 6 bytes for Unicode escape sequences
for _, r := range bytesconv.BytesToString(ret) {
if r > unicode.MaxASCII {
escapeBuf = fmt.Appendf(escapeBuf[:0], "\\u%04x", r) // Reuse escapeBuf
buffer.Write(escapeBuf)
} else {
buffer.WriteByte(byte(r))
cvt := string(r)
if r >= 128 {
cvt = fmt.Sprintf("\\u%04x", int64(r))
}
buffer.WriteString(cvt)
}
_, err = w.Write(buffer.Bytes())
err = secureJSONWrite(w, buffer.Bytes())
return err
}
@ -180,10 +195,12 @@ func (r AsciiJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonASCIIContentType)
}
// Render (PureJSON) writes custom ContentType and encodes the given interface object.
// Render (PureJSON) writes custom ContentType and writes data with custom ContentType.
func (r PureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
encoder := json.API.NewEncoder(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
encoder := json.NewEncoder(w)
encoder.SetEscapeHTML(false)
return encoder.Encode(r.Data)
}

210
render/json.go.new.tmp Normal file
View File

@ -0,0 +1,210 @@
package render
import (
"bytes"
"fmt"
"html/template"
"net/http"
"github.com/gin-gonic/gin/internal/bytesconv"
"github.com/gin-gonic/gin/internal/json"
)
// secureJSONWrite writes JSON data to the ResponseWriter with security headers
func secureJSONWrite(w http.ResponseWriter, data []byte) error {
// Ensure security headers are set
if w.Header().Get("X-Content-Type-Options") == "" {
w.Header().Set("X-Content-Type-Options", "nosniff")
}
// Write the data
err := secureJSONWrite(w, data)
return err
}
// JSON contains the given interface object.
type JSON struct {
Data any
}
// IndentedJSON contains the given interface object.
type IndentedJSON struct {
Data any
}
// SecureJSON contains the given interface object and prefix.
type SecureJSON struct {
Prefix string
Data any
}
// JsonpJSON contains the given interface object its callback.
type JsonpJSON struct {
Callback string
Data any
}
// AsciiJSON contains the given interface object.
type AsciiJSON struct {
Data any
}
// PureJSON contains the given interface object.
type PureJSON struct {
Data any
}
var (
jsonContentType = []string{"application/json; charset=utf-8"}
jsonpContentType = []string{"application/javascript; charset=utf-8"}
jsonASCIIContentType = []string{"application/json"}
)
// Render (JSON) writes data with custom ContentType.
func (r JSON) Render(w http.ResponseWriter) error {
return WriteJSON(w, r.Data)
}
// WriteContentType (JSON) writes JSON ContentType.
func (r JSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}
// WriteJSON marshals the given interface object and writes it with custom ContentType.
func WriteJSON(w http.ResponseWriter, obj any) error {
writeContentType(w, jsonContentType)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(obj)
if err != nil {
return err
}
err = secureJSONWrite(w, jsonBytes)
return err
}
// Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType.
func (r IndentedJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.MarshalIndent(r.Data, "", " ")
if err != nil {
return err
}
err = secureJSONWrite(w, jsonBytes)
return err
}
// WriteContentType (IndentedJSON) writes JSON ContentType.
func (r IndentedJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}
// Render (SecureJSON) marshals the given interface object and writes it with custom ContentType.
func (r SecureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(r.Data)
if err != nil {
return err
}
// if the jsonBytes is array values
if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes,
bytesconv.StringToBytes("]")) {
if err = secureJSONWrite(w, bytesconv.StringToBytes(r.Prefix)); err != nil {
return err
}
}
err = secureJSONWrite(w, jsonBytes)
return err
}
// WriteContentType (SecureJSON) writes JSON ContentType.
func (r SecureJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}
// Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType.
func (r JsonpJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil {
return err
}
if r.Callback == "" {
err = secureJSONWrite(w, ret)
return err
}
callback := template.JSEscapeString(r.Callback)
if err = secureJSONWrite(w, bytesconv.StringToBytes(callback)); err != nil {
return err
}
if err = secureJSONWrite(w, bytesconv.StringToBytes("(")); err != nil {
return err
}
if err = secureJSONWrite(w, ret); err != nil {
return err
}
if err = secureJSONWrite(w, bytesconv.StringToBytes(");")); err != nil {
return err
}
return nil
}
// WriteContentType (JsonpJSON) writes Javascript ContentType.
func (r JsonpJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonpContentType)
}
// Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType.
func (r AsciiJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil {
return err
}
var buffer bytes.Buffer
for _, r := range bytesconv.BytesToString(ret) {
cvt := string(r)
if r >= 128 {
cvt = fmt.Sprintf("\\u%04x", int64(r))
}
buffer.WriteString(cvt)
}
err = secureJSONWrite(w, buffer.Bytes())
return err
}
// WriteContentType (AsciiJSON) writes JSON ContentType.
func (r AsciiJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonASCIIContentType)
}
// Render (PureJSON) writes custom ContentType and writes data with custom ContentType.
func (r PureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
encoder := json.NewEncoder(w)
encoder.SetEscapeHTML(false)
return encoder.Encode(r.Data)
}
// WriteContentType (PureJSON) writes custom ContentType.
func (r PureJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}