Fix CodeQL code scanning alerts (#36858)

Fixes 10 CodeQL code scanning alerts: - Change `NewPagination`/`SetLinkHeader` to accept `int64` for total count, clamping internally to fix incorrect-integer-conversion alerts ([#110](https://github.com/go-gitea/gitea/security/code-scanning/110), [#114](https://github.com/go-gitea/gitea/security/code-scanning/114), [#115](https://github.com/go-gitea/gitea/security/code-scanning/115), [#116](https://github.com/go-gitea/gitea/security/code-scanning/116)) - Use `strconv.Atoi()` in `htmlrenderer.go` to avoid int64 intermediate ([#105](https://github.com/go-gitea/gitea/security/code-scanning/105), [#106](https://github.com/go-gitea/gitea/security/code-scanning/106)) - Clamp regex match indices in `escape_stream.go` to fix allocation-size-overflow ([#161](https://github.com/go-gitea/gitea/security/code-scanning/161), [#162](https://github.com/go-gitea/gitea/security/code-scanning/162), [#163](https://github.com/go-gitea/gitea/security/code-scanning/163)) - Cap slice pre-allocation in `GetIssueDependencies` ([#181](https://github.com/go-gitea/gitea/security/code-scanning/181)) --------- Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-20 03:40:27 +00:00 · 2026-03-08 15:35:50 +01:00
parent 3f1ef703d5
commit 0724344a8a
70 changed files with 155 additions and 168 deletions
--- a/modules/charset/escape_stream.go
+++ b/modules/charset/escape_stream.go
@@ -61,12 +61,14 @@ func (e *escapeStreamer) Text(data string) error {
 			until = len(data)
 			next = until
 		} else {
-			until, next = nextIdxs[0]+pos, nextIdxs[1]+pos
+			until = min(nextIdxs[0]+pos, len(data))
+			next = min(nextIdxs[1]+pos, len(data))
 		}

 		// from pos until we know that the runes are not \r\t\n or even ' '
-		runes := make([]rune, 0, next-until)
-		positions := make([]int, 0, next-until+1)
+		n := next - until
+		runes := make([]rune, 0, n)
+		positions := make([]int, 0, n+1)

 		for pos < until {
 			r, sz := utf8.DecodeRune(dataBytes[pos:])
--- a/modules/indexer/code/gitgrep/gitgrep.go
+++ b/modules/indexer/code/gitgrep/gitgrep.go
@@ -24,7 +24,7 @@ func indexSettingToGitGrepPathspecList() (list []string) {
 	return list
 }

-func PerformSearch(ctx context.Context, page int, repoID int64, gitRepo *git.Repository, ref git.RefName, keyword string, searchMode indexer.SearchModeType) (searchResults []*code_indexer.Result, total int, err error) {
+func PerformSearch(ctx context.Context, page int, repoID int64, gitRepo *git.Repository, ref git.RefName, keyword string, searchMode indexer.SearchModeType) (searchResults []*code_indexer.Result, total int64, err error) {
 	grepMode := git.GrepModeWords
 	switch searchMode {
 	case indexer.SearchModeExact:
@@ -47,7 +47,7 @@ func PerformSearch(ctx context.Context, page int, repoID int64, gitRepo *git.Rep
 		return nil, 0, fmt.Errorf("gitRepo.GetRefCommitID: %w", err)
 	}

-	total = len(res)
+	total = int64(len(res))
 	pageStart := min((page-1)*setting.UI.RepoSearchPagingNum, len(res))
 	pageEnd := min(page*setting.UI.RepoSearchPagingNum, len(res))
 	res = res[pageStart:pageEnd]
--- a/modules/indexer/code/search.go
+++ b/modules/indexer/code/search.go
@@ -130,7 +130,7 @@ func searchResult(result *internal.SearchResult, startIndex, endIndex int) (*Res
 }

 // PerformSearch perform a search on a repository
-func PerformSearch(ctx context.Context, opts *SearchOptions) (int, []*Result, []*SearchResultLanguages, error) {
+func PerformSearch(ctx context.Context, opts *SearchOptions) (int64, []*Result, []*SearchResultLanguages, error) {
 	if opts == nil || len(opts.Keyword) == 0 {
 		return 0, nil, nil, nil
 	}
@@ -149,5 +149,5 @@ func PerformSearch(ctx context.Context, opts *SearchOptions) (int, []*Result, []
 			return 0, nil, nil, err
 		}
 	}
-	return int(total), displayResults, resultLanguages, nil
+	return total, displayResults, resultLanguages, nil
 }
--- a/modules/templates/htmlrenderer.go
+++ b/modules/templates/htmlrenderer.go
@@ -89,7 +89,7 @@ func (p *templateErrorPrettier) handleGenericTemplateError(err error) string {
 		return ""
 	}
 	tmplName, lineStr, message := groups[1], groups[2], groups[3]
-	return p.makeDetailedError(message, tmplName, lineStr, -1, "")
+	return p.makeDetailedError(message, tmplName, lineStr, "", "")
 }

 var reFuncNotDefinedError = regexp.MustCompile(`^template: (.*):([0-9]+): (function "(.*)" not defined)`)
@@ -101,7 +101,7 @@ func (p *templateErrorPrettier) handleFuncNotDefinedError(err error) string {
 	}
 	tmplName, lineStr, message, funcName := groups[1], groups[2], groups[3], groups[4]
 	funcName, _ = strconv.Unquote(`"` + funcName + `"`)
-	return p.makeDetailedError(message, tmplName, lineStr, -1, funcName)
+	return p.makeDetailedError(message, tmplName, lineStr, "", funcName)
 }

 var reUnexpectedOperandError = regexp.MustCompile(`^template: (.*):([0-9]+): (unexpected "(.*)" in operand)`)
@@ -113,7 +113,7 @@ func (p *templateErrorPrettier) handleUnexpectedOperandError(err error) string {
 	}
 	tmplName, lineStr, message, unexpected := groups[1], groups[2], groups[3], groups[4]
 	unexpected, _ = strconv.Unquote(`"` + unexpected + `"`)
-	return p.makeDetailedError(message, tmplName, lineStr, -1, unexpected)
+	return p.makeDetailedError(message, tmplName, lineStr, "", unexpected)
 }

 var reExpectedEndError = regexp.MustCompile(`^template: (.*):([0-9]+): (expected end; found (.*))`)
@@ -124,7 +124,7 @@ func (p *templateErrorPrettier) handleExpectedEndError(err error) string {
 		return ""
 	}
 	tmplName, lineStr, message, unexpected := groups[1], groups[2], groups[3], groups[4]
-	return p.makeDetailedError(message, tmplName, lineStr, -1, unexpected)
+	return p.makeDetailedError(message, tmplName, lineStr, "", unexpected)
 }

 var (
@@ -154,20 +154,20 @@ func HandleTemplateRenderingError(err error) string {

 const dashSeparator = "----------------------------------------------------------------------"

-func (p *templateErrorPrettier) makeDetailedError(errMsg, tmplName string, lineNum, posNum any, target string) string {
+func (p *templateErrorPrettier) makeDetailedError(errMsg, tmplName, lineNumStr, posNumStr, target string) string {
 	code, layer, err := p.assets.ReadLayeredFile(tmplName + ".tmpl")
 	if err != nil {
 		return fmt.Sprintf("template error: %s, and unable to find template file %q", errMsg, tmplName)
 	}
-	line, err := util.ToInt64(lineNum)
+	line, err := strconv.Atoi(lineNumStr)
 	if err != nil {
-		return fmt.Sprintf("template error: %s, unable to parse template %q line number %q", errMsg, tmplName, lineNum)
+		return fmt.Sprintf("template error: %s, unable to parse template %q line number %s", errMsg, tmplName, lineNumStr)
 	}
-	pos, err := util.ToInt64(posNum)
+	pos, err := strconv.Atoi(util.IfZero(posNumStr, "-1"))
 	if err != nil {
-		return fmt.Sprintf("template error: %s, unable to parse template %q pos number %q", errMsg, tmplName, posNum)
+		return fmt.Sprintf("template error: %s, unable to parse template %q pos number %s", errMsg, tmplName, posNumStr)
 	}
-	detail := extractErrorLine(code, int(line), int(pos), target)
+	detail := extractErrorLine(code, line, pos, target)

 	var msg string
 	if pos >= 0 {