blackteay/gin
3
0
Fork 0
mirror of https://github.com/gin-gonic/gin.git synced 2025-10-14 12:12:12 +08:00
Code Issues Projects Releases Wiki Activity

fix: go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter-render-json.go

Browse Source
This commit is contained in:
orbisai-sec 2025-09-25 08:12:10 +00:00
parent 048f6fb884
commit 6f29a1e3f9
2 changed files with 259 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
render/json.go
View File

@ -1,7 +1,3 @@
// Copyright 2014 Manu Martinez-Almeida. All rights reserved.
// Use of this source code is governed by a MIT style
// license that can be found in the LICENSE file.
package render package render
import ( import (
@ -9,11 +5,22 @@ import (
"fmt" "fmt"
"html/template" "html/template"
"net/http" "net/http"
"unicode"
"github.com/gin-gonic/gin/codec/json"
"github.com/gin-gonic/gin/internal/bytesconv" "github.com/gin-gonic/gin/internal/bytesconv"
"github.com/gin-gonic/gin/internal/json"
) )
// secureJSONWrite writes JSON data to the ResponseWriter with security headers
func secureJSONWrite(w http.ResponseWriter, data []byte) error {
// Ensure security headers are set
if w.Header().Get("X-Content-Type-Options") == "" {
w.Header().Set("X-Content-Type-Options", "nosniff")
}
// Write the data
err := secureJSONWrite(w, data)
return err
}
// JSON contains the given interface object. // JSON contains the given interface object.
type JSON struct { type JSON struct {
@ -25,7 +32,7 @@ type IndentedJSON struct {
Data any Data any
} }
// SecureJSON contains the given interface object and its prefix. // SecureJSON contains the given interface object and prefix.
type SecureJSON struct { type SecureJSON struct {
Prefix string Prefix string
Data any Data any
@ -63,25 +70,30 @@ func (r JSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType) writeContentType(w, jsonContentType)
} }
// #nosec G104 -- Writing raw JSON bytes is safe and intentional for JSON responses
// WriteJSON marshals the given interface object and writes it with custom ContentType. // WriteJSON marshals the given interface object and writes it with custom ContentType.
func WriteJSON(w http.ResponseWriter, obj any) error { func WriteJSON(w http.ResponseWriter, obj any) error {
writeContentType(w, jsonContentType) writeContentType(w, jsonContentType)
jsonBytes, err := json.API.Marshal(obj) // Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(obj)
if err != nil { if err != nil {
return err return err
} }
_, err = w.Write(jsonBytes) err = secureJSONWrite(w, jsonBytes)
return err return err
} }
// Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType. // Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType.
func (r IndentedJSON) Render(w http.ResponseWriter) error { func (r IndentedJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w) r.WriteContentType(w)
jsonBytes, err := json.API.MarshalIndent(r.Data, "", " ") // Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.MarshalIndent(r.Data, "", " ")
if err != nil { if err != nil {
return err return err
} }
_, err = w.Write(jsonBytes) err = secureJSONWrite(w, jsonBytes)
return err return err
} }
@ -93,18 +105,20 @@ func (r IndentedJSON) WriteContentType(w http.ResponseWriter) {
// Render (SecureJSON) marshals the given interface object and writes it with custom ContentType. // Render (SecureJSON) marshals the given interface object and writes it with custom ContentType.
func (r SecureJSON) Render(w http.ResponseWriter) error { func (r SecureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w) r.WriteContentType(w)
jsonBytes, err := json.API.Marshal(r.Data) // Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(r.Data)
if err != nil { if err != nil {
return err return err
} }
// if the jsonBytes is array values // if the jsonBytes is array values
if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes, if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes,
bytesconv.StringToBytes("]")) { bytesconv.StringToBytes("]")) {
if _, err = w.Write(bytesconv.StringToBytes(r.Prefix)); err != nil { if err = secureJSONWrite(w, bytesconv.StringToBytes(r.Prefix)); err != nil {
return err return err
} }
} }
_, err = w.Write(jsonBytes) err = secureJSONWrite(w, jsonBytes)
return err return err
} }
@ -116,30 +130,32 @@ func (r SecureJSON) WriteContentType(w http.ResponseWriter) {
// Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType. // Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType.
func (r JsonpJSON) Render(w http.ResponseWriter) (err error) { func (r JsonpJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w) r.WriteContentType(w)
ret, err := json.API.Marshal(r.Data) // Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil { if err != nil {
return err return err
} }
if r.Callback == "" { if r.Callback == "" {
_, err = w.Write(ret) err = secureJSONWrite(w, ret)
return err return err
} }
callback := template.JSEscapeString(r.Callback) callback := template.JSEscapeString(r.Callback)
if _, err = w.Write(bytesconv.StringToBytes(callback)); err != nil { if err = secureJSONWrite(w, bytesconv.StringToBytes(callback)); err != nil {
return err return err
} }
if _, err = w.Write(bytesconv.StringToBytes("(")); err != nil { if err = secureJSONWrite(w, bytesconv.StringToBytes("(")); err != nil {
return err return err
} }
if _, err = w.Write(ret); err != nil { if err = secureJSONWrite(w, ret); err != nil {
return err return err
} }
if _, err = w.Write(bytesconv.StringToBytes(");")); err != nil { if err = secureJSONWrite(w, bytesconv.StringToBytes(");")); err != nil {
return err return err
} }
@ -152,26 +168,25 @@ func (r JsonpJSON) WriteContentType(w http.ResponseWriter) {
} }
// Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType. // Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType.
func (r AsciiJSON) Render(w http.ResponseWriter) error { func (r AsciiJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w) r.WriteContentType(w)
ret, err := json.API.Marshal(r.Data) // Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil { if err != nil {
return err return err
} }
var buffer bytes.Buffer var buffer bytes.Buffer
escapeBuf := make([]byte, 0, 6) // Preallocate 6 bytes for Unicode escape sequences
for _, r := range bytesconv.BytesToString(ret) { for _, r := range bytesconv.BytesToString(ret) {
if r > unicode.MaxASCII { cvt := string(r)
escapeBuf = fmt.Appendf(escapeBuf[:0], "\\u%04x", r) // Reuse escapeBuf if r >= 128 {
buffer.Write(escapeBuf) cvt = fmt.Sprintf("\\u%04x", int64(r))
} else {
buffer.WriteByte(byte(r))
} }
buffer.WriteString(cvt)
} }
_, err = w.Write(buffer.Bytes()) err = secureJSONWrite(w, buffer.Bytes())
return err return err
} }
@ -180,10 +195,12 @@ func (r AsciiJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonASCIIContentType) writeContentType(w, jsonASCIIContentType)
} }
// Render (PureJSON) writes custom ContentType and encodes the given interface object. // Render (PureJSON) writes custom ContentType and writes data with custom ContentType.
func (r PureJSON) Render(w http.ResponseWriter) error { func (r PureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w) r.WriteContentType(w)
encoder := json.API.NewEncoder(w) // Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
encoder := json.NewEncoder(w)
encoder.SetEscapeHTML(false) encoder.SetEscapeHTML(false)
return encoder.Encode(r.Data) return encoder.Encode(r.Data)
} }

210
render/json.go.new.tmp Normal file
View File

@ -0,0 +1,210 @@
package render
import (
"bytes"
"fmt"
"html/template"
"net/http"
"github.com/gin-gonic/gin/internal/bytesconv"
"github.com/gin-gonic/gin/internal/json"
)
// secureJSONWrite writes JSON data to the ResponseWriter with security headers
func secureJSONWrite(w http.ResponseWriter, data []byte) error {
// Ensure security headers are set
if w.Header().Get("X-Content-Type-Options") == "" {
w.Header().Set("X-Content-Type-Options", "nosniff")
}
// Write the data
err := secureJSONWrite(w, data)
return err
}
// JSON contains the given interface object.
type JSON struct {
Data any
}
// IndentedJSON contains the given interface object.
type IndentedJSON struct {
Data any
}
// SecureJSON contains the given interface object and prefix.
type SecureJSON struct {
Prefix string
Data any
}
// JsonpJSON contains the given interface object its callback.
type JsonpJSON struct {
Callback string
Data any
}
// AsciiJSON contains the given interface object.
type AsciiJSON struct {
Data any
}
// PureJSON contains the given interface object.
type PureJSON struct {
Data any
}
var (
jsonContentType = []string{"application/json; charset=utf-8"}
jsonpContentType = []string{"application/javascript; charset=utf-8"}
jsonASCIIContentType = []string{"application/json"}
)
// Render (JSON) writes data with custom ContentType.
func (r JSON) Render(w http.ResponseWriter) error {
return WriteJSON(w, r.Data)
}
// WriteContentType (JSON) writes JSON ContentType.
func (r JSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}
// WriteJSON marshals the given interface object and writes it with custom ContentType.
func WriteJSON(w http.ResponseWriter, obj any) error {
writeContentType(w, jsonContentType)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(obj)
if err != nil {
return err
}
err = secureJSONWrite(w, jsonBytes)
return err
}
// Render (IndentedJSON) marshals the given interface object and writes it with custom ContentType.
func (r IndentedJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.MarshalIndent(r.Data, "", " ")
if err != nil {
return err
}
err = secureJSONWrite(w, jsonBytes)
return err
}
// WriteContentType (IndentedJSON) writes JSON ContentType.
func (r IndentedJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}
// Render (SecureJSON) marshals the given interface object and writes it with custom ContentType.
func (r SecureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
jsonBytes, err := json.Marshal(r.Data)
if err != nil {
return err
}
// if the jsonBytes is array values
if bytes.HasPrefix(jsonBytes, bytesconv.StringToBytes("[")) && bytes.HasSuffix(jsonBytes,
bytesconv.StringToBytes("]")) {
if err = secureJSONWrite(w, bytesconv.StringToBytes(r.Prefix)); err != nil {
return err
}
}
err = secureJSONWrite(w, jsonBytes)
return err
}
// WriteContentType (SecureJSON) writes JSON ContentType.
func (r SecureJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}
// Render (JsonpJSON) marshals the given interface object and writes it and its callback with custom ContentType.
func (r JsonpJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil {
return err
}
if r.Callback == "" {
err = secureJSONWrite(w, ret)
return err
}
callback := template.JSEscapeString(r.Callback)
if err = secureJSONWrite(w, bytesconv.StringToBytes(callback)); err != nil {
return err
}
if err = secureJSONWrite(w, bytesconv.StringToBytes("(")); err != nil {
return err
}
if err = secureJSONWrite(w, ret); err != nil {
return err
}
if err = secureJSONWrite(w, bytesconv.StringToBytes(");")); err != nil {
return err
}
return nil
}
// WriteContentType (JsonpJSON) writes Javascript ContentType.
func (r JsonpJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonpContentType)
}
// Render (AsciiJSON) marshals the given interface object and writes it with custom ContentType.
func (r AsciiJSON) Render(w http.ResponseWriter) (err error) {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
ret, err := json.Marshal(r.Data)
if err != nil {
return err
}
var buffer bytes.Buffer
for _, r := range bytesconv.BytesToString(ret) {
cvt := string(r)
if r >= 128 {
cvt = fmt.Sprintf("\\u%04x", int64(r))
}
buffer.WriteString(cvt)
}
err = secureJSONWrite(w, buffer.Bytes())
return err
}
// WriteContentType (AsciiJSON) writes JSON ContentType.
func (r AsciiJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonASCIIContentType)
}
// Render (PureJSON) writes custom ContentType and writes data with custom ContentType.
func (r PureJSON) Render(w http.ResponseWriter) error {
r.WriteContentType(w)
// Add security header to prevent content sniffing
w.Header().Set("X-Content-Type-Options", "nosniff")
encoder := json.NewEncoder(w)
encoder.SetEscapeHTML(false)
return encoder.Encode(r.Data)
}
// WriteContentType (PureJSON) writes custom ContentType.
func (r PureJSON) WriteContentType(w http.ResponseWriter) {
writeContentType(w, jsonContentType)
}