Address some CodeQL security concerns (#35572)

Although there is no real security problem

services/context/access_log.go

@@ -10,6 +10,7 @@ import (
 	"strings"
 	"text/template"
 	"time"
+	"unicode"
 
 	user_model "code.gitea.io/gitea/models/user"
 	"code.gitea.io/gitea/modules/log"
@@ -37,6 +38,16 @@ const keyOfRequestIDInTemplate = ".RequestID"
 // So, we accept a Request ID with a maximum character length of 40
 const maxRequestIDByteLength = 40
 
+func isSafeRequestID(id string) bool {
+	for _, r := range id {
+		safe := unicode.IsPrint(r)
+		if !safe {
+			return false
+		}
+	}
+	return true
+}
+
 func parseRequestIDFromRequestHeader(req *http.Request) string {
 	requestID := "-"
 	for _, key := range setting.Log.RequestIDHeaders {
@@ -45,6 +56,9 @@ func parseRequestIDFromRequestHeader(req *http.Request) string {
 			break
 		}
 	}
+	if !isSafeRequestID(requestID) {
+		return "-"
+	}
 	if len(requestID) > maxRequestIDByteLength {
 		requestID = requestID[:maxRequestIDByteLength] + "..."
 	}

services/context/access_log_test.go

@@ -69,3 +69,8 @@ func TestAccessLogger(t *testing.T) {
 	recorder.record(time.Date(2000, 1, 2, 3, 4, 5, 0, time.UTC), &testAccessLoggerResponseWriterMock{}, req)
 	assert.Equal(t, []string{`remote-addr - - [02/Jan/2000:03:04:05 +0000] "GET /path https" 200 123123 "referer" "user-agent"`}, mockLogger.logs)
 }
+
+func TestAccessLoggerRequestID(t *testing.T) {
+	assert.False(t, isSafeRequestID("\x00"))
+	assert.True(t, isSafeRequestID("a b-c"))
+}

services/context/base_path.go

@@ -37,6 +37,11 @@ func (b *Base) PathParamInt64(p string) int64 {
 	return v
 }
 
+func (b *Base) PathParamInt(p string) int {
+	v, _ := strconv.Atoi(b.PathParam(p))
+	return v
+}
+
 // SetPathParam set request path params into routes
 func (b *Base) SetPathParam(name, value string) {
 	if strings.HasPrefix(name, ":") {