add gosec scanning to ci (#1349)

gosec severity=medium passes, all severity=low errors are from unhandled errors, we have 107 of them. tbh it doesn't look worth it to me, but maybe there are a few assholes even itchier than mine out there. medium has some good stuff in it, and of course high makes sense if we're gonna do this at all. this adds some nosec annotations for some things like sql sprintfs where we know it's clean (we're constructing the strings with variables in them). fixed up other spots where we were sprinting without need. some stuff like filepath.Clean when opening a file from a variable, and file permissions, easy stuff... I can't get the CI build to shut up, but I can locally get it to be pretty quiet about imports and it just outputs the gosec output. fortunately, it still works as expected even when it's noisy. I got it to shut up by unsetting some of the go mod flags locally, but that doesn't seem to quite do it in circle, printed the env out and don't see them, so idk... i give up, this works closes #1303
2022-10-28 21:29:17 +03:00 · 2018-12-13 17:57:25 -08:00
parent 35b4213d82
commit d85fadb142
15 changed files with 64 additions and 42 deletions
--- a/api/common/logging.go
+++ b/api/common/logging.go
@@ -83,7 +83,7 @@ func SetLogDest(to, prefix string) {
 			return
 		}
 	case "file":
-		f, err := os.OpenFile(parsed.Path, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0666)
+		f, err := os.OpenFile(parsed.Path, os.O_RDWR|os.O_APPEND|os.O_CREATE, 0600)
 		if err != nil {
 			logrus.WithError(err).WithFields(logrus.Fields{"to": to, "path": parsed.Path}).Error("cannot open file, defaulting to stderr")
 			return
--- a/api/common/tls_utils.go
+++ b/api/common/tls_utils.go
@@ -10,7 +10,7 @@ import (
 	"path/filepath"
 )

-// A simple TLS Config generator using cert/key
+// NewTLSSimple creates a new tls config with the given cert and key file paths
 func NewTLSSimple(certPath, keyPath string) (*tls.Config, error) {

 	err := checkFile(certPath)
@@ -34,7 +34,7 @@ func NewTLSSimple(certPath, keyPath string) (*tls.Config, error) {
 	}, nil
 }

-// Add a Client CA
+// AddClientCA adds a client cert to the given tls config
 func AddClientCA(tlsConf *tls.Config, clientCAPath string) error {

 	err := checkFile(clientCAPath)
@@ -42,7 +42,7 @@ func AddClientCA(tlsConf *tls.Config, clientCAPath string) error {
 		return err
 	}
 	// Create a certificate pool from the certificate authority
-	authority, err := ioutil.ReadFile(clientCAPath)
+	authority, err := ioutil.ReadFile(filepath.Clean(clientCAPath))
 	if err != nil {
 		return fmt.Errorf("Could not read client CA (%s) certificate: %s", clientCAPath, err)
 	}
@@ -58,7 +58,7 @@ func AddClientCA(tlsConf *tls.Config, clientCAPath string) error {
 	return nil
 }

-// Add CA
+// AddCA adds a ca cert to the given tls config
 func AddCA(tlsConf *tls.Config, caPath string) error {

 	err := checkFile(caPath)
@@ -66,7 +66,7 @@ func AddCA(tlsConf *tls.Config, caPath string) error {
 		return err
 	}

-	ca, err := ioutil.ReadFile(caPath)
+	ca, err := ioutil.ReadFile(filepath.Clean(caPath))
 	if err != nil {
 		return fmt.Errorf("could not read ca (%s) certificate: %s", caPath, err)
 	}