From 4e2ca64319f17867ac63a8d1283a67e2f1c4daba Mon Sep 17 00:00:00 2001 From: Kyren223 Date: Tue, 7 Jan 2025 19:02:14 +0200 Subject: [PATCH] Fixed all high and medium security issues from gosec --- cmd/client/main.go | 2 +- cmd/server/main.go | 2 +- internal/client/client.go | 2 +- internal/client/config/config.go | 6 +++--- internal/client/gateway/gateway.go | 3 ++- internal/client/ui/auth/auth.go | 6 +++--- internal/packet/packet.go | 6 +++--- internal/server/server.go | 3 ++- 8 files changed, 16 insertions(+), 14 deletions(-) diff --git a/cmd/client/main.go b/cmd/client/main.go index 5347554..d33120b 100644 --- a/cmd/client/main.go +++ b/cmd/client/main.go @@ -8,7 +8,7 @@ import ( ) func main() { - logFile, err := os.OpenFile("client.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0666) + logFile, err := os.OpenFile("client.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600) if err != nil { log.Fatalln(err) } diff --git a/cmd/server/main.go b/cmd/server/main.go index fa04d69..529d0b5 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -20,7 +20,7 @@ func main() { stdout := flag.Bool("stdout", false, "enable logging to stdout") flag.Parse() - logFile, err := os.OpenFile("server.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0666) + logFile, err := os.OpenFile("server.log", os.O_APPEND|os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0600) if err != nil { log.Fatalln(err) } diff --git a/internal/client/client.go b/internal/client/client.go index c5fc8a9..5fe2454 100644 --- a/internal/client/client.go +++ b/internal/client/client.go @@ -30,7 +30,7 @@ func Run() { var dump *os.File if ui.DEBUG { var err error - dump, err = os.OpenFile("messages.log", os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o644) + dump, err = os.OpenFile("messages.log", os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0o600) if err != nil { os.Exit(1) } diff --git a/internal/client/config/config.go b/internal/client/config/config.go index ce5a62a..daa3d58 100644 --- a/internal/client/config/config.go +++ b/internal/client/config/config.go @@ -40,13 +40,13 @@ func Load() error { } Dir = filepath.Join(userConfigDir, "eko") - err = os.MkdirAll(Dir, 0o755) + err = os.MkdirAll(Dir, 0o750) if err != nil { return err } ConfigFile = filepath.Join(Dir, "config.json") - contents, err := os.ReadFile(ConfigFile) + contents, err := os.ReadFile(ConfigFile) // #nosec 304 if errors.Is(err, os.ErrNotExist) { config = Default() return write() @@ -98,7 +98,7 @@ func write() error { if err != nil { return err } - return os.WriteFile(ConfigFile, b, 0o644) + return os.WriteFile(ConfigFile, b, 0o600) } func Read() Config { diff --git a/internal/client/gateway/gateway.go b/internal/client/gateway/gateway.go index 9709968..df1503f 100644 --- a/internal/client/gateway/gateway.go +++ b/internal/client/gateway/gateway.go @@ -46,6 +46,7 @@ func init() { tlsConfig = &tls.Config{ RootCAs: certPool, ServerName: "localhost", + MinVersion: tls.VersionTLS12, } } @@ -145,7 +146,7 @@ func handleAuth(ctx context.Context, conn net.Conn, privKey ed25519.PrivateKey) } bytesRead += n } - id := snowflake.ID(binary.BigEndian.Uint64(idBytes[:])) + id := snowflake.ID(binary.BigEndian.Uint64(idBytes[:])) // #nosec G115 return id, nil } diff --git a/internal/client/ui/auth/auth.go b/internal/client/ui/auth/auth.go index d4c4d2f..5e44962 100644 --- a/internal/client/ui/auth/auth.go +++ b/internal/client/ui/auth/auth.go @@ -427,13 +427,13 @@ func (m *Model) Signup() tea.Cmd { } privateKeyFilepath := expandPath(m.fields[privateKeyField].Input.Value()) - err := os.MkdirAll(filepath.Dir(privateKeyFilepath), 0o755) + err := os.MkdirAll(filepath.Dir(privateKeyFilepath), 0o750) if err != nil { m.fields[privateKeyField].Input.Err = errors.Unwrap(err) assert.NotNil(errors.Unwrap(err), "there should always be an error to unwrap", "err", err) return nil } - file, err := os.OpenFile(privateKeyFilepath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o600) + file, err := os.OpenFile(privateKeyFilepath, os.O_WRONLY|os.O_CREATE|os.O_EXCL, 0o600) // #nosec 304 if errors.Is(err, os.ErrExist) { info, e := os.Stat(privateKeyFilepath) assert.NoError(e, "if file exists it should be fine to stat it") @@ -485,7 +485,7 @@ func (m *Model) Signup() tea.Cmd { func (m *Model) signin() tea.Cmd { privateKeyFilepath := expandPath(m.fields[privateKeyField].Input.Value()) - file, err := os.ReadFile(privateKeyFilepath) + file, err := os.ReadFile(privateKeyFilepath) // #nosec 304 if errors.Is(err, os.ErrNotExist) { content := fmt.Sprintf("File '%s' doesn't exist.\nDo you want to sign-up instead?", privateKeyFilepath) m.popup = createPopup(content, []string{"sign-up"}, []string{"cancel"}) diff --git a/internal/packet/packet.go b/internal/packet/packet.go index ffd852b..0067c9a 100644 --- a/internal/packet/packet.go +++ b/internal/packet/packet.go @@ -117,8 +117,8 @@ type Packet struct { func NewPacket(encoder PacketEncoder) Packet { payload := encoder.Payload() - n := len(payload) - assert.Assert(0 <= n && n <= PAYLOAD_MAX_SIZE, "size of payload must be valid", "size", n) + n := uint(len(payload)) + assert.Assert(n <= PAYLOAD_MAX_SIZE, "size of payload must be valid", "size", n) data := make([]byte, HEADER_SIZE+n) @@ -129,7 +129,7 @@ func NewPacket(encoder PacketEncoder) Packet { assert.Assert(encoding <= 3, "encoding exceeded allowed size", "encoding", encoding) data[TYPE_OFFSET] = packetType | encoding<<6 - binary.BigEndian.PutUint16(data[LENGTH_OFFSET:], uint16(n)) + binary.BigEndian.PutUint16(data[LENGTH_OFFSET:], uint16(n)) // #nosec G115 copy(data[HEADER_SIZE:], payload) diff --git a/internal/server/server.go b/internal/server/server.go index 253cef3..6c915f7 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -43,6 +43,7 @@ func init() { tlsConfig = &tls.Config{ Certificates: []tls.Certificate{cert}, + MinVersion: tls.VersionTLS12, } } @@ -179,7 +180,7 @@ func (server *server) handleConnection(conn net.Conn) { // Write ID back, it's useful for the client to know, and signals successful authentication var id [8]byte - binary.BigEndian.PutUint64(id[:], uint64(user.ID)) + binary.BigEndian.PutUint64(id[:], uint64(user.ID)) // #nosec G115 -- sign bit is always 0 in snowflake IDs _, err = conn.Write(id[:]) if err != nil { initialCancel()