fix: resolve gosec issues and false positives

ory · Oct 3, 2020 · 0832138 · 0832138
1 parent 89abc15
commit 0832138
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 7 deletions.
diff --git a/cmd/server/handler.go b/cmd/server/handler.go
@@ -301,6 +301,7 @@ func serve(d driver.Driver, cmd *cobra.Command, wg *sync.WaitGroup, handler http
 	var srv = graceful.WithDefaults(&http.Server{
 		Addr:    address,
 		Handler: handler,
+		// #nosec G402 - This is a false positive because we use graceful.WithDefaults which sets the correct TLS settings.
 		TLSConfig: &tls.Config{
 			Certificates: cert,
 		},

diff --git a/cmd/token_user.go b/cmd/token_user.go
@@ -33,6 +33,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/ory/graceful"
+
 	"github.com/ory/hydra/cmd/cli"
 
 	"github.com/julienschmidt/httprouter"
@@ -173,10 +175,11 @@ and success.`,
 			cmdx.Must(err, "Unable to generate RSA key pair: %s", err)
 			cert, err := tlsx.CreateSelfSignedTLSCertificate(key)
 			cmdx.Must(err, "Unable to generate self-signed TLS Certificate: %s", err)
+			// #nosec G402 - This is a false positive because we use graceful.WithDefaults which sets the correct TLS settings.
 			tlsc = &tls.Config{Certificates: []tls.Certificate{*cert}}
 		}
 
-		server := &http.Server{Addr: fmt.Sprintf(":%d", port), Handler: r, TLSConfig: tlsc}
+		server := graceful.WithDefaults(&http.Server{Addr: fmt.Sprintf(":%d", port), Handler: r, TLSConfig: tlsc})
 		var shutdown = func() {
 			time.Sleep(time.Second * 1)
 			ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)

diff --git a/consent/manager_memory.go b/consent/manager_memory.go
@@ -194,10 +194,12 @@ func (m *MemoryManager) HandleConsentRequest(ctx context.Context, challenge stri
 
 func (m *MemoryManager) VerifyAndInvalidateConsentRequest(ctx context.Context, verifier string) (*HandledConsentRequest, error) {
 	m.m["consentRequests"].RLock()
-	for _, c := range m.consentRequests {
+	for k := range m.consentRequests {
+		c := m.consentRequests[k]
 		if c.Verifier == verifier {
 			m.m["handledConsentRequests"].RLock()
-			for _, h := range m.handledConsentRequests {
+			for kk := range m.handledConsentRequests {
+				h := m.handledConsentRequests[kk]
 				if h.Challenge == c.Challenge {
 					m.m["consentRequests"].RUnlock()
 					m.m["handledConsentRequests"].RUnlock()
@@ -433,10 +435,12 @@ func (m *MemoryManager) HandleLoginRequest(ctx context.Context, challenge string
 
 func (m *MemoryManager) VerifyAndInvalidateLoginRequest(ctx context.Context, verifier string) (*HandledLoginRequest, error) {
 	m.m["authRequests"].RLock()
-	for _, c := range m.authRequests {
+	for k := range m.authRequests {
+		c := m.authRequests[k]
 		if c.Verifier == verifier {
 			m.m["handledAuthRequests"].RLock()
-			for _, h := range m.handledAuthRequests {
+			for kk := range m.handledAuthRequests {
+				h := m.handledAuthRequests[kk]
 				if h.Challenge == c.Challenge {
 					m.m["handledAuthRequests"].RUnlock()
 					m.m["authRequests"].RUnlock()
@@ -547,7 +551,8 @@ func (m *MemoryManager) RejectLogoutRequest(ctx context.Context, challenge strin
 
 func (m *MemoryManager) VerifyAndInvalidateLogoutRequest(ctx context.Context, verifier string) (*LogoutRequest, error) {
 	m.m["logoutRequests"].RLock()
-	for _, c := range m.logoutRequests {
+	for k := range m.logoutRequests {
+		c := m.logoutRequests[k]
 		if c.Verifier == verifier {
 			m.m["logoutRequests"].RUnlock()
 

diff --git a/internal/fosite_store.go b/internal/fosite_store.go
@@ -26,6 +26,7 @@ func AddFositeExamples(r driver.Registry) {
 			Scope:         "fosite,openid,photos,offline",
 		},
 	} {
+		// #nosec G601
 		if err := r.ClientManager().CreateClient(context.Background(), &c); err != nil {
 			panic(err)
 		}

diff --git a/jwk/manager_memory.go b/jwk/manager_memory.go
@@ -68,7 +68,8 @@ func (m *MemoryManager) AddKey(ctx context.Context, set string, key *jose.JSONWe
 }
 
 func (m *MemoryManager) AddKeySet(ctx context.Context, set string, keys *jose.JSONWebKeySet) error {
-	for _, key := range keys.Keys {
+	for k := range keys.Keys {
+		key := keys.Keys[k]
 		if err := m.AddKey(ctx, set, &key); err != nil {
 			return err
 		}