GHSA-4mhv-8rh3-4ghw

### Impact
We found two instances in the DragonFly codebase where the first return value of a function is dereferenced even when the function returns an error (figures 9.1 and 9.2). This can result in a nil dereference, and cause code to panic. The codebase may contain additional instances of the bug.

```golang
request, err := source.NewRequestWithContext(ctx, parentReq.Url,
parentReq.UrlMeta.Header)
if err != nil {
log.Errorf("generate url [%v] request error: %v", request.URL, err)
span.RecordError(err)
return err
}
```

Eve is a malicious actor operating a peer machine. She sends a dfdaemonv1.DownRequest request to her peer Alice. Alice’s machine receives the request, resolves a nil variable in the server.Download method, and panics.

### Patches

- Dragonfy v2.1.0 and above.

### Workarounds

There are no effective workarounds, beyond upgrading.

### References

A third party security audit was performed by Trail of Bits, you can see the [full report](https://github.com/dragonflyoss/dragonfly/blob/main/docs/security/dragonfly-comprehensive-report-2023.pdf).

If you have any questions or comments about this advisory, please email us at [[email protected]](mailto:[email protected]).