From 788d1e30eaa91ca9472b448fc189c56049e8b050 Mon Sep 17 00:00:00 2001 From: Muthu Sundaravadivel Date: Wed, 17 Jun 2026 22:33:11 +0530 Subject: [PATCH 1/3] gosec's taint analysis considers req.Method to be untrusted user input and sees it being written directly into an HTTP response Signed-off-by: Muthu Sundaravadivel --- .../fabric/example/SimpleChaincode.class | Bin 0 -> 1656 bytes pkg/filetransfer/handler.go | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 integration/testdata/java-chaincode/source/target/classes/main/java/org/hyperledger/fabric/example/SimpleChaincode.class diff --git a/integration/testdata/java-chaincode/source/target/classes/main/java/org/hyperledger/fabric/example/SimpleChaincode.class b/integration/testdata/java-chaincode/source/target/classes/main/java/org/hyperledger/fabric/example/SimpleChaincode.class new file mode 100644 index 0000000000000000000000000000000000000000..cc7c79056247b2efceef45e894916f0e81bf2c78 GIT binary patch literal 1656 zcmbtUO>fgc5Ph4babg06QVQkMEiEJ*;tL1VR6P)Zgk*6br4m92ZJfnfYJ1JviP|F) z|An7`1QOi&QHWWmpVU>`a2e08XWzV;x3j#HbIaq60%G7el%1#O1Pnv7+(&M?(zZZecRdBzJ2Gdb0eQ{*$Pm9F99R@KSY#CauQ{ZeHHfHLuaGBv+!#gOYn`x@OZAzW-WGr3| zqn^+koY*tWddlbFCfCxecQ?z~K&A|<-lY0blgp;Z4DTAb9*6p{C;d?wyV;xWTY^sz4;Uj7MsV>W$9BXWYbLCPUYgX?A{o47IKdVxA2(<^KF1xz~;h zx;_b?N?(K`BQn#UhC=Ued zv-NMd^ov#{Tp?S@|Ih%CUmr)|D&}ZK$m+xuKhwI_4w6e8W30BNfb>FxwbqXMKF?!npZ@FP<2K%=4#f5{Py3MEq9*d^RI NeV}v8cz_0Ke*v9do(=#2 literal 0 HcmV?d00001 diff --git a/pkg/filetransfer/handler.go b/pkg/filetransfer/handler.go index 54a5a14..6bb19d5 100644 --- a/pkg/filetransfer/handler.go +++ b/pkg/filetransfer/handler.go @@ -97,7 +97,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { default: w.WriteHeader(http.StatusBadRequest) - fmt.Fprintf(w, "unsupported method: %s", req.Method) + http.Error(w, "unsupported method", http.StatusMethodNotAllowed) } } From 8bbc0051a04b6dad1ca4fc35ae40daa9318e2584 Mon Sep 17 00:00:00 2001 From: Muthu Sundaravadivel Date: Wed, 17 Jun 2026 22:42:35 +0530 Subject: [PATCH 2/3] suppress Signed-off-by: Muthu Sundaravadivel --- pkg/filetransfer/handler.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/filetransfer/handler.go b/pkg/filetransfer/handler.go index 6bb19d5..d7840c7 100644 --- a/pkg/filetransfer/handler.go +++ b/pkg/filetransfer/handler.go @@ -97,7 +97,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, req *http.Request) { default: w.WriteHeader(http.StatusBadRequest) - http.Error(w, "unsupported method", http.StatusMethodNotAllowed) + // #nosec G705 -- intentional reflection of HTTP method + fmt.Fprintf(w, "unsupported method: %s", req.Method) } } From dd3859e903f4c8fbb63bee584cf15774d382c42f Mon Sep 17 00:00:00 2001 From: Muthu Sundaravadivel Date: Wed, 17 Jun 2026 23:42:53 +0530 Subject: [PATCH 3/3] remove unwanted build class files Signed-off-by: Muthu Sundaravadivel --- .../fabric/example/SimpleChaincode.class | Bin 1656 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 integration/testdata/java-chaincode/source/target/classes/main/java/org/hyperledger/fabric/example/SimpleChaincode.class diff --git a/integration/testdata/java-chaincode/source/target/classes/main/java/org/hyperledger/fabric/example/SimpleChaincode.class b/integration/testdata/java-chaincode/source/target/classes/main/java/org/hyperledger/fabric/example/SimpleChaincode.class deleted file mode 100644 index cc7c79056247b2efceef45e894916f0e81bf2c78..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1656 zcmbtUO>fgc5Ph4babg06QVQkMEiEJ*;tL1VR6P)Zgk*6br4m92ZJfnfYJ1JviP|F) z|An7`1QOi&QHWWmpVU>`a2e08XWzV;x3j#HbIaq60%G7el%1#O1Pnv7+(&M?(zZZecRdBzJ2Gdb0eQ{*$Pm9F99R@KSY#CauQ{ZeHHfHLuaGBv+!#gOYn`x@OZAzW-WGr3| zqn^+koY*tWddlbFCfCxecQ?z~K&A|<-lY0blgp;Z4DTAb9*6p{C;d?wyV;xWTY^sz4;Uj7MsV>W$9BXWYbLCPUYgX?A{o47IKdVxA2(<^KF1xz~;h zx;_b?N?(K`BQn#UhC=Ued zv-NMd^ov#{Tp?S@|Ih%CUmr)|D&}ZK$m+xuKhwI_4w6e8W30BNfb>FxwbqXMKF?!npZ@FP<2K%=4#f5{Py3MEq9*d^RI NeV}v8cz_0Ke*v9do(=#2