Fix all gosec comments

digitalautonomy · Jun 6, 2020 · 4f8e43a · 4f8e43a
1 parent 21f4872
commit 4f8e43a
Show file tree

Hide file tree

Showing 9 changed files with 30 additions and 9 deletions.
diff --git a/.gosec.config.json b/.gosec.config.json
@@ -0,0 +1,5 @@
+{
+    "G104": {
+        "net/http.File": ["Close"]
+    }
+}
diff --git a/Makefile b/Makefile
@@ -29,7 +29,8 @@ deps:
 	go get -u github.com/modocache/gover
 	go get -u github.com/rosatolen/esc
 	go get -u golang.org/x/text/cmd/gotext
-	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOPATH_SINGLE)/bin v1.21.0
+	go get -u github.com/securego/gosec/cmd/gosec
+	curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(GOPATH_SINGLE)/bin latest
 
 optional-deps:
 	go get -u github.com/rogpeppe/godef
@@ -97,7 +98,7 @@ lint:
 	golangci-lint run --disable-all -E golint ./...
 
 gosec:
-	golangci-lint run --disable-all -E gosec ./...
+	gosec -conf .gosec.config.json ./...
 
 ineffassign:
 	golangci-lint run --disable-all -E ineffassign ./...

diff --git a/client/binary.go b/client/binary.go
@@ -110,21 +110,25 @@ func (b *binary) remove() {
 	}
 }
 
+func closeAndIgnore(c io.Closer) {
+	_ = c.Close()
+}
+
 func (b *binary) copyBinaryToDir(destination string) error {
 	var err error
 	var srcfd *os.File
 
 	if srcfd, err = os.Open(b.path); err != nil {
 		return err
 	}
-	defer srcfd.Close()
+	defer closeAndIgnore(srcfd)
 
 	var dstfd *os.File
 
 	if dstfd, err = os.Create(destination); err != nil {
 		return err
 	}
-	defer dstfd.Close()
+	defer closeAndIgnore(dstfd)
 
 	if _, err = io.Copy(dstfd, srcfd); err != nil {
 		return err
@@ -287,6 +291,8 @@ func isThereAnAvailableBinary(path string) *binary {
 	}
 
 	bin := b.path
+	// This executes the tor command, which is under control of the code
+	/* #nosec G204 */
 	command := exec.Command(bin, "-h")
 
 	isBundle, env := checkLibsDependenciesInPath(b.path)

diff --git a/client/certificate.go b/client/certificate.go
@@ -181,7 +181,7 @@ func genCertInto(certFilename, keyFilename string) error {
 	if err != nil {
 		return err
 	}
-	defer file.Close()
+	defer closeAndIgnore(file)
 	err = pem.Encode(file, &certblk)
 	if err != nil {
 		return err
@@ -191,7 +191,7 @@ func genCertInto(certFilename, keyFilename string) error {
 	if err != nil {
 		return err
 	}
-	defer file.Close()
+	defer closeAndIgnore(file)
 	err = pem.Encode(file, &keyblk)
 	if err != nil {
 		return err
@@ -218,13 +218,15 @@ func generateTemporaryMumbleCertificate() (string, error) {
 
 	args := []string{"pkcs12", "-passout", "pass:", "-inkey", filepath.Join(dir, "key.pem"),
 		"-in", filepath.Join(dir, "cert.pem"), "-export", "-out", filepath.Join(dir, "transformed.p12")}
+	// This executes the openssl command. The args are completely under our control
+	/* #nosec G204 */
 	cmd := exec.Command("openssl", args...)
 	_, err = cmd.Output()
 	if err != nil {
 		return "", err
 	}
 
-	data, err := ioutil.ReadFile(filepath.Join(dir, "transformed.p12"))
+	data, err := ioutil.ReadFile(filepath.Clean(filepath.Join(dir, "transformed.p12")))
 	if err != nil {
 		return "", err
 	}

diff --git a/client/db.go b/client/db.go
@@ -96,7 +96,7 @@ func readBinaryContent(filename string) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer file.Close()
+	defer closeAndIgnore(file)
 
 	return ioutil.ReadAll(file)
 }
diff --git a/config/file.go b/config/file.go
@@ -56,7 +56,7 @@ func ReadFileOrTemporaryBackup(name string) (data []byte, e error) {
 		}
 		return
 	}
-	return ioutil.ReadFile(name + tmpExtension)
+	return ioutil.ReadFile(filepath.Clean(name + tmpExtension))
 }
 
 // Dir returns the default config directory for Wahay

diff --git a/tor/binary.go b/tor/binary.go
@@ -351,6 +351,9 @@ func listPossibleTorBinary(path string) []string {
 
 func (b *binary) start(configFile string) (*runningTor, error) {
 	ctx, cancelFunc := context.WithCancel(context.Background())
+	// This is safe since we control both the path and the configFile argument - there is
+	// no user input to these
+	/* #nosec G204 */
 	cmd := exec.CommandContext(ctx, b.path, "-f", configFile)
 
 	if b.isBundle && len(b.env) > 0 {

diff --git a/tor/facades.go b/tor/facades.go
@@ -135,6 +135,8 @@ func (*realExecImplementation) LookPath(s string) (string, error) {
 }
 
 func (*realExecImplementation) ExecWithModify(bin string, args []string, cm ModifyCommand) ([]byte, error) {
+	// This executes the tor command, which is under control of the code
+	/* #nosec G204 */
 	cmd := exec.Command(bin, args...)
 
 	if cm != nil {

diff --git a/tor/instance.go b/tor/instance.go
@@ -291,6 +291,8 @@ type ModifyCommand func(*exec.Cmd)
 
 func (i *instance) exec(command string, args []string, pre ModifyCommand) (*RunningCommand, error) {
 	ctx, cancelFunc := context.WithCancel(context.Background())
+	// This executes the tor command, and the args which are both under control of the code
+	/* #nosec G204 */
 	cmd := exec.CommandContext(ctx, command, args...)
 
 	pathTorsocks, err := findLibTorsocks(i.pathTorsocks)
-Original file line number
+Diff line change
@@ Expand Up @@
     		}
     		return
     	}
-    	return ioutil.ReadFile(name + tmpExtension)
+    	return ioutil.ReadFile(filepath.Clean(name + tmpExtension))
     }
     // Dir returns the default config directory for Wahay
@@ Expand Down @@