mirror of
https://github.com/Kyren223/eko.git
synced 2026-03-10 01:45:36 +00:00
Fixed all high and medium security issues from gosec
This commit is contained in:
@@ -8,7 +8,7 @@ import (
|
||||
)
|
||||
|
||||
func main() {
|
||||
logFile, err := os.OpenFile("client.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0666)
|
||||
logFile, err := os.OpenFile("client.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
@@ -20,7 +20,7 @@ func main() {
|
||||
stdout := flag.Bool("stdout", false, "enable logging to stdout")
|
||||
flag.Parse()
|
||||
|
||||
logFile, err := os.OpenFile("server.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0666)
|
||||
logFile, err := os.OpenFile("server.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
log.Fatalln(err)
|
||||
}
|
||||
|
||||
@@ -30,7 +30,7 @@ func Run() {
|
||||
var dump *os.File
|
||||
if ui.DEBUG {
|
||||
var err error
|
||||
dump, err = os.OpenFile("messages.log", os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o644)
|
||||
dump, err = os.OpenFile("messages.log", os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o600)
|
||||
if err != nil {
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
@@ -40,13 +40,13 @@ func Load() error {
|
||||
}
|
||||
|
||||
Dir = filepath.Join(userConfigDir, "eko")
|
||||
err = os.MkdirAll(Dir, 0o755)
|
||||
err = os.MkdirAll(Dir, 0o750)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
ConfigFile = filepath.Join(Dir, "config.json")
|
||||
contents, err := os.ReadFile(ConfigFile)
|
||||
contents, err := os.ReadFile(ConfigFile) // #nosec 304
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
config = Default()
|
||||
return write()
|
||||
@@ -98,7 +98,7 @@ func write() error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
return os.WriteFile(ConfigFile, b, 0o644)
|
||||
return os.WriteFile(ConfigFile, b, 0o600)
|
||||
}
|
||||
|
||||
func Read() Config {
|
||||
|
||||
@@ -46,6 +46,7 @@ func init() {
|
||||
tlsConfig = &tls.Config{
|
||||
RootCAs: certPool,
|
||||
ServerName: "localhost",
|
||||
MinVersion: tls.VersionTLS12,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -145,7 +146,7 @@ func handleAuth(ctx context.Context, conn net.Conn, privKey ed25519.PrivateKey)
|
||||
}
|
||||
bytesRead += n
|
||||
}
|
||||
id := snowflake.ID(binary.BigEndian.Uint64(idBytes[:]))
|
||||
id := snowflake.ID(binary.BigEndian.Uint64(idBytes[:])) // #nosec G115
|
||||
|
||||
return id, nil
|
||||
}
|
||||
|
||||
@@ -427,13 +427,13 @@ func (m *Model) Signup() tea.Cmd {
|
||||
}
|
||||
|
||||
privateKeyFilepath := expandPath(m.fields[privateKeyField].Input.Value())
|
||||
err := os.MkdirAll(filepath.Dir(privateKeyFilepath), 0o755)
|
||||
err := os.MkdirAll(filepath.Dir(privateKeyFilepath), 0o750)
|
||||
if err != nil {
|
||||
m.fields[privateKeyField].Input.Err = errors.Unwrap(err)
|
||||
assert.NotNil(errors.Unwrap(err), "there should always be an error to unwrap", "err", err)
|
||||
return nil
|
||||
}
|
||||
file, err := os.OpenFile(privateKeyFilepath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o600)
|
||||
file, err := os.OpenFile(privateKeyFilepath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o600) // #nosec 304
|
||||
if errors.Is(err, os.ErrExist) {
|
||||
info, e := os.Stat(privateKeyFilepath)
|
||||
assert.NoError(e, "if file exists it should be fine to stat it")
|
||||
@@ -485,7 +485,7 @@ func (m *Model) Signup() tea.Cmd {
|
||||
|
||||
func (m *Model) signin() tea.Cmd {
|
||||
privateKeyFilepath := expandPath(m.fields[privateKeyField].Input.Value())
|
||||
file, err := os.ReadFile(privateKeyFilepath)
|
||||
file, err := os.ReadFile(privateKeyFilepath) // #nosec 304
|
||||
if errors.Is(err, os.ErrNotExist) {
|
||||
content := fmt.Sprintf("File '%s' doesn't exist.\nDo you want to sign-up instead?", privateKeyFilepath)
|
||||
m.popup = createPopup(content, []string{"sign-up"}, []string{"cancel"})
|
||||
|
||||
@@ -117,8 +117,8 @@ type Packet struct {
|
||||
|
||||
func NewPacket(encoder PacketEncoder) Packet {
|
||||
payload := encoder.Payload()
|
||||
n := len(payload)
|
||||
assert.Assert(0 <= n && n <= PAYLOAD_MAX_SIZE, "size of payload must be valid", "size", n)
|
||||
n := uint(len(payload))
|
||||
assert.Assert(n <= PAYLOAD_MAX_SIZE, "size of payload must be valid", "size", n)
|
||||
|
||||
data := make([]byte, HEADER_SIZE+n)
|
||||
|
||||
@@ -129,7 +129,7 @@ func NewPacket(encoder PacketEncoder) Packet {
|
||||
assert.Assert(encoding <= 3, "encoding exceeded allowed size", "encoding", encoding)
|
||||
data[TYPE_OFFSET] = packetType | encoding<<6
|
||||
|
||||
binary.BigEndian.PutUint16(data[LENGTH_OFFSET:], uint16(n))
|
||||
binary.BigEndian.PutUint16(data[LENGTH_OFFSET:], uint16(n)) // #nosec G115
|
||||
|
||||
copy(data[HEADER_SIZE:], payload)
|
||||
|
||||
|
||||
@@ -43,6 +43,7 @@ func init() {
|
||||
|
||||
tlsConfig = &tls.Config{
|
||||
Certificates: []tls.Certificate{cert},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -179,7 +180,7 @@ func (server *server) handleConnection(conn net.Conn) {
|
||||
|
||||
// Write ID back, it's useful for the client to know, and signals successful authentication
|
||||
var id [8]byte
|
||||
binary.BigEndian.PutUint64(id[:], uint64(user.ID))
|
||||
binary.BigEndian.PutUint64(id[:], uint64(user.ID)) // #nosec G115 -- sign bit is always 0 in snowflake IDs
|
||||
_, err = conn.Write(id[:])
|
||||
if err != nil {
|
||||
initialCancel()
|
||||
|
||||
Reference in New Issue
Block a user