fix: Modify the pure-ftpd encryption method

[ssongliu]

No description provided.

[f2c-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wanghe-fit2cloud]

The provided Go code appears to be an implementation of bcrypt-like password hashing with some optimizations. It uses SHA-512 for cryptographic operations and includes features like customizable work factors.

Here's a summary of the main points:

Key Features:

1. Password Hashing: The Generate function takes a key and produces a hashed string using a custom algorithm similar tobcrypt.
2. Work Factor (Rounds): Users can specify the number of rounds when generating the hash.
3. SALT Handling: Both default values of 5000 rounds and user-specified values are supported.
4. Base64 Encoding: Custom algorithms for encoding hashes are implemented in the base64_24Bit function.
5. Security Considerations:
   • Uses secure random numbers from rand.Read.
   • Ensures that no memory is left unchanged after processing if a bug were found.

Optimization Suggestions:

1. Efficient Memory Management: While not explicitly shown, the code maintains proper memory management by resetting variables at the end of each iteration where state might change.

2. Avoid Redundant Calculations:

   • Only perform operations necessary for each round. For example, avoid recalculating parts of P_sum within the loop.

3. Inline Constants:

   • Instead of using constants defined as strings, it would improve readability to use named types or direct integer literals where possible, such as defining MagicPrefix as a byte slice instead of a literal string.

4. Test Cases: Adding test cases for various scenarios like different work factor settings and edge cases (e.g., empty string keys) would greatly enhance confidence in its correctness and robustness.

In conclusion, this code provides a good foundation for bcrypt-like password hashing but could benefit slightly improved efficiency and security through better practices in memory management and constant handling.

[wanghe-fit2cloud]

There are several areas of concerns and improvements in the provided FTP-related Go code:

1. Duplicate Functionality: The LoadList function performs almost identical logic for both users and groups, which is unnecessary and can be streamlined.

2. Error Handling: While some error handling is present, it could be more informative or centralized to reduce redundancy and improve readability.

3. Resource Management: The use of deferred statements for closing files like /etc/pure-ftpd/passwd ensures that resources are properly cleaned up at the end of their scope, but this pattern might not consistently follow throughout the file.

4. Comments and Descriptions: Comments should be added to explain complex constructs, especially since they are currently brief or missing altogether.

5. Code Duplication with loadLogsByFiles: This function handles reading files containing log data based on various conditions. It should be moved into its own helper package or module if there's common functionality elsewhere in the project (e.g., similar parsing across different types of logs).

6. Security Considerations: There seems to be no specific security measures implemented for handling passwords securely within the context of this application. Directly using input from users without hashing could introduce significant vulnerabilities if exposed to attacks.

Here are concise optimizations and suggestions based on these points:

--- original-file.go.orig	2021-09-01 00:00:00 Z
+++ modified-file.go	2025-04-03 00:00:00 Z
@@ -78,7 +78,7 @@
 	"github.com/gofrs/flock"
 	"sync"
 )

-package toolbox

+import "path/filepath"

 // Define structs and constants here...

 func (f *Ftp) LoadList() ([]*FtpListItem, error) { // Change return type to []*FtpListItem
@@ -155,7 +155,7 @@ type FtpClient interface {
 }

-func (f *Ftp) LoadList() ([]FtpList, error) {
+fncount = 0 // Introduce a variable to count iterations
	count := 0

Explanation:

• Replace generic list with structured items (struct) to improve clarity.
• Use defer statement to close files only after operations are completed.
• Add comments to functions explaining purpose and parameters.
• Implement proper resource management for temporary files.
• Remove redundant comments.
• Provide example usage or add unit tests where applicable.

[wanghe-fit2cloud]

The code appears to be making several changes to the pure-ftpd configuration file /etc/pure-ftpd/pure-ftpd.conf. Here are some observations, potential issues, and optimizations:

Potential Issues:

• Comments: The script does not remove existing comments from lines before updating them.
• File Handling: There is no error checking for the existence of temporary files or directories created during copying.

Optimizations:

1. Avoid Redundant Backticks: Replace backticks () with modern quotes (single ' or double ") for variable expansion.

   cp "$PURE_FTPD_CONF" "$PURE_FTPD_CONF.bak"

2. Consistent Space Removal: Use consistent whitespace replacement patterns in the sed commands.

   sed -i 's/^NoAnonymous[[:space:]]\+no$/NoAnonymous yes/g' "$PURE_FTPD_CONF"
   s#^PAMAuthentication[[:space:]]\+yes$#PAMAuthentication no#g' "$PURE_FTPD_CONF"
   # ... add more similar adjustments ...

3. Ensure Backup File Existence: Add checks to ensure that the backup file exists after copying.

   if [ ! -f "$PURE_FTPD_CONF.bak" ]; then
       echo "Failed to create backup of $PURE_FTPD_CONF."
       exit 1
   fi

4. Remove Unnecessary Directories: Ensure that no unnecessary directories exist before linking.

   rmdir /tmp/mydir || true

5. Consistent Variable Naming: If applicable, use more descriptive variables to improve readability.

   FTP_CONFIG_FILE="/etc/pure-ftpd/pureftpd.conf"
   BAK_FILE="$FTP_CONFIG_FILE.bak"
   
   # Instead of using $PURE_FTPD_CONF directly within multiple calls
   mv "$BAK_FILE.new" "$BAK_FILE.old"$ #
   mv "$BAK_FILE.old" "$FTP_CONFIG_FILE.original"
   rm "$BAK_FILE.new"

6. Use Appropriate Permissions and Ownership:

   chown root:root "$BAK_FILE.bak"
   chmod 600 "$BAK_FILE.bak"

By addressing these points, you can make the script cleaner and less error-prone. Here's an updated version incorporating many of the suggested improvements:

#!/bin/bash

echo "配置 Pure-FTPd..."

PURE_FTPD_CONF="/etc/pure-ftpd/pure-ftpd.conf"
if [ -f "$PURE_FTPD_CONF" ]; then
    local BAK_FILE="$PURE_FTPD_CONF.bak"
    
    # Create backup before modifying original file
    cp "$PURE_FTPD_CONF" "$BAB_FILE"
    if [ $? -ne 0 ]; then
        echo " Failed to copy $PURE_FTPD_CONF to $BAK_FILE."
        exit 1
    fi
    
    # Update config file content via sed
    sed -i 's/^NoAnonymous[[:space:]]\+no$/NoAnonymous yes/g' "$BAK_FILE"
    sed -i 's/^PAMAuthentication[[:space:]]\+yes$//g' "$BAK_FILE"
    sed -i 's/^# PassivePortRange[[:space:]]\+30000 50000$/PassivePortRange 39000 40000/' "$BAK_FILE"
    sed -i 's/^VerboseLog[[:space:]]\+no$/VerboseLog yes/g' "$BAK_FILE"
    sed -i 's/^# PureDB[[:space:]]\+\/etc\/pure-ftpd\/pureftpd\.pdb[[:space:]]*$/PureDB \/etc\/pure-ftpd\/pureftpd.pdb/' "$BAK_FILE"
else
    touch "/etc/pure-ftpd/conf/PureDB"
    echo yes > /etc/pure-ftpd/conf/VerboseLog 
    echo yes > /etc/pure-ftpd/conf/NoAnonymous
    echo '39000 40000' > /etc/pure-ftpd/conf/PassivePortRange
+    echo 'no' > /etc/pure-ftpd/conf/PAMAuthentication
+    echo 'no' > /etc/pure-ftpd/conf/UnixAuthentication
+    echo 'clf:/var/log/pure-ftpd/transfer.log' > /etc/pure-ftpd/conf/AltLog
     ln -s /etc/pure-ftpd/conf/PureDB /etc/pure-ftpd/auth/50puredb
fi

# Apply permissions to the backup file
chown root:root "$BAK_FILE"
chmod 600 "$BAK_FILE"

exit 0

These improvements enhance the clarity, reliability, and maintainability of the script.

[sonarqubecloud]

Quality Gate passed

Issues
10 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[wanghe-fit2cloud]

/lgtm

[wanghe-fit2cloud]

/approve

[f2c-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wanghe-fit2cloud

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wanghe-fit2cloud]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment