fix code warnning

FriendlyCM · FriendlyCM · commit b87c88bc742f · 2025-04-16T11:06:51.000+08:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [main, develop, release_*]
 
+# Add explicit permissions - restrict to only what's needed
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker-s3-deploy.yml b/.github/workflows/docker-s3-deploy.yml
@@ -10,6 +10,11 @@ on:
         description: 'AWS region for the S3 bucket (e.g., ap-southeast-1)'
         required: true  # Makes the input mandatory
 
+# Add explicit permissions - restrict to only what's needed
+permissions:
+  contents: read
+  id-token: write  # Needed for AWS credential provider
+
 jobs:
   build-and-sign:
     runs-on: ubuntu-latest
diff --git a/tools/toolkit/src/main/java/org/tron/plugins/DbQuery.java b/tools/toolkit/src/main/java/org/tron/plugins/DbQuery.java
@@ -682,8 +682,8 @@ private long computeReward(long cycle, List<Pair<byte[], Long>> votes) {
         continue;
       }
       long userVote = vote.getValue();
-      double voteRate = (double) userVote / totalVote;
-      reward += voteRate * totalReward;
+      // Replace floating-point division with integer-based calculation
+      reward += (userVote * totalReward) / totalVote;
     }
     return reward;
   }
diff --git a/tools/trond/utils/http.go b/tools/trond/utils/http.go
@@ -445,8 +445,17 @@ func ExtractTgzWithStatus(tgzFile, destDir string) error {
 			return fmt.Errorf("error reading tar: %v", err)
 		}
 
+		sanitizedName := filepath.Clean(header.Name)
+		if strings.Contains(sanitizedName, "..") || strings.HasPrefix(sanitizedName, "/") || strings.HasPrefix(sanitizedName, "../") {
+			return fmt.Errorf("invalid file path in archive: %s", header.Name)
+		}
+
 		// Target file path
-		target := filepath.Join(destDir, header.Name)
+		target := filepath.Join(destDir, sanitizedName)
+		// Ensure the target path is still within the destination directory
+		if !strings.HasPrefix(target, filepath.Clean(destDir)+string(os.PathSeparator)) {
+			return fmt.Errorf("attempted directory traversal: %s", header.Name)
+		}
 
 		switch header.Typeflag {
 		case tar.TypeDir:
@@ -498,6 +507,12 @@ func ExtractTgzWithStatus(tgzFile, destDir string) error {
 		case tar.TypeLink:
 			// Create hard link
 			linkTarget := filepath.Join(destDir, header.Linkname)
+			// Sanitize the link target to prevent directory traversal
+			sanitizedLinkTarget := filepath.Clean(linkTarget)
+			if !strings.HasPrefix(sanitizedLinkTarget, filepath.Clean(destDir)+string(os.PathSeparator)) {
+				return fmt.Errorf("attempted directory traversal in hard link: %s -> %s", header.Name, header.Linkname)
+			}
+
 			if err := os.Link(linkTarget, target); err != nil {
 				return fmt.Errorf("failed to create hard link: %v", err)
 			}

Original file line number	Diff line number	Diff line change
`@@ -682,8 +682,8 @@ private long computeReward(long cycle, List<Pair<byte[], Long>> votes) {`
`682`	`682`	`continue;`
`683`	`683`	`}`
`684`	`684`	`long userVote = vote.getValue();`
`685`		`- double voteRate = (double) userVote / totalVote;`
`686`		`- reward += voteRate * totalReward;`
	`685`	`+ // Replace floating-point division with integer-based calculation`
	`686`	`+ reward += (userVote * totalReward) / totalVote;`
`687`	`687`	`}`
`688`	`688`	`return reward;`
`689`	`689`	`}`