Fixes security lint problems

.golangci.yml

@@ -34,9 +34,9 @@ run:
   modules-download-mode: readonly
 
 linters:
-  enable: 
+  enable:
   - "bodyclose"
-  # - "depguard" broken in golangci-lint 1.17.1
+  - "depguard"
   - "dupl"
   - "goconst"
   - "gocritic"
@@ -46,17 +46,15 @@ linters:
   - "golint"
   - "gosec"
   - "gosimple"
-  - "interfacer"
   - "lll"
-  - "maligned"
   - "misspell"
   - "nakedret"
   - "prealloc"
   - "scopelint"
   - "unconvert"
   - "unparam"
-  
-  disable: 
+
+  disable:
   - "gochecknoinits"
   - "gochecknoglobals"
 
@@ -93,67 +91,30 @@ linters-settings:
   unparam:
     check-exported: false
   gocritic:
-    enabled-checks:
-      - appendCombine
-      - appendAssign
-      - assignOp
-      - argOrder
-      - badCond
+    enabled-checks:  # non-default checks we decided to also add
       - boolExprSimplify
       - builtinShadow
-      - captLocal
-      - caseOrder
-      - codegenComment
       - commentedOutCode
       - commentedOutImport
-      - defaultCaseOrder
-      - deprecatedComment
       - docStub
-      - dupArg
-      - dupBranchBody
-      - dupCase
-      - dupSubExpr
-      - elseif
       - emptyFallthrough
-      - equalFold
-      - flagDeref
-      - flagName
       - hexLiteral
-      - indexAlloc
       - initClause
       - methodExprCall
       - nilValReturn
       - octalLiteral
-      - offBy1
-      - rangeExprCopy
-      - regexpMust
-      - singleCaseSwitch
-      - sloppyLen
-      - stringXbytes
-      - switchTrue
       - typeAssertChain
-      - typeSwitchVar
       - typeUnparen
-      - underef
-      - unlambda
       - unnecessaryBlock
-      - unslice
-      - valSwap
       - weakCond
       - yodaStyleExpr
-      - commentFormatting
       - emptyStringTest
-      - exitAfterDefer
-      - ifElseChain
-      - hugeParam
       - importShadow
       - nestingReduce
       - paramTypeCombine
       - ptrToRefParam
-      - rangeValCopy
       - sloppyReassign
       - unlabelStmt
-      - wrapperFunc
 
     # Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint` run to see all tags and checks.
     # Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
@@ -180,7 +141,6 @@ issues:
         - errcheck
         - dupl
         - gosec
-        - maligned
 
     # Exclude lll issues for long lines with go:generate
     - linters:

pkg/binary/envoy/config.go

@@ -97,7 +97,7 @@ func (r *Runtime) SaveConfig(name, config string) (string, error) {
 		return "", fmt.Errorf("Unable to create directory %q: %v", configDir, err)
 	}
 	filename := name + ".yaml"
-	err := ioutil.WriteFile(filepath.Join(configDir, filename), []byte(config), 0644)
+	err := ioutil.WriteFile(filepath.Join(configDir, filename), []byte(config), 0600)
 	if err != nil {
 		return "", fmt.Errorf("Cannot save config file %s: %s", filepath.Join(configDir, filename), err)
 	}

pkg/binary/envoy/controlplane/istio.tmpl.go

@@ -28,7 +28,7 @@ func writeIstioTemplate(path string) error {
 	if err := os.MkdirAll(filepath.Dir(path), os.ModePerm); err != nil {
 		return err
 	}
-	return ioutil.WriteFile(path, []byte(istioBootStrapTemplate), 0644)
+	return ioutil.WriteFile(path, []byte(istioBootStrapTemplate), 0600)
 }
 
 var istioBootStrapTemplate = `{

pkg/binary/envoy/debug/admin.go

@@ -68,6 +68,7 @@ func retrieveAdminAPIData(r binary.Runner) error {
 			multiErr = multierror.Append(multiErr, fmt.Errorf("received %v from /%v ", resp.StatusCode, path))
 			continue
 		}
+		// #nosec -> r.DebugStore() is allowed to be anywhere
 		f, err := os.OpenFile(filepath.Join(r.DebugStore(), file), os.O_CREATE|os.O_WRONLY, 0600)
 		if err != nil {
 			multiErr = multierror.Append(multiErr, err)

pkg/binary/envoy/debug/log_linux.go

@@ -66,6 +66,7 @@ func captureStderr(r binary.Runner) error {
 }
 
 func createLogFile(path string) (*os.File, error) {
+	// #nosec -> logs can be written anywhere
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_WRONLY, 0600)
 	if err != nil {
 		return nil, fmt.Errorf("unable to open file to write logs to %v: %v", path, err)

pkg/binary/envoy/fetch.go

@@ -112,7 +112,7 @@ func fetchEnvoy(dst, src string) error {
 }
 
 func doDownload(dst, src string) (string, error) {
-	// #nosec -> src destination can be anywhere by design
+	// #nosec -> src can be anywhere by design
 	resp, err := transport.Get(src)
 	if err != nil {
 		return "", err
@@ -124,6 +124,7 @@ func doDownload(dst, src string) (string, error) {
 	}
 
 	tarball := filepath.Join(dst, "envoy.tar"+filepath.Ext(src))
+	// #nosec -> dst can be anywhere by design
 	f, err := os.OpenFile(tarball, os.O_CREATE|os.O_WRONLY, 0600)
 	if err != nil {
 		return "", err

pkg/cmd/extension/run/cmd_test.go

@@ -356,7 +356,7 @@ Run 'getenvoy extension run --help' for usage.
 
 		By("creating a non-executable file")
 		filePath := filepath.Join(tempDir, "envoy")
-		err = ioutil.WriteFile(filePath, []byte(`#!/bin/sh`), 0644)
+		err = ioutil.WriteFile(filePath, []byte(`#!/bin/sh`), 0600)
 		Expect(err).NotTo(HaveOccurred())
 
 		By("running command")
@@ -616,7 +616,7 @@ Run 'getenvoy extension run --help' for usage.
 				Expect(os.RemoveAll(tempDir)).To(Succeed())
 			}()
 			wasmFile := filepath.Join(tempDir, "extension.wasm")
-			err = ioutil.WriteFile(wasmFile, []byte{}, 0644)
+			err = ioutil.WriteFile(wasmFile, []byte{}, 0600)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("running command")
@@ -648,7 +648,7 @@ Run 'getenvoy extension run --help' for usage.
 				Expect(os.RemoveAll(tempDir)).To(Succeed())
 			}()
 			configFile := filepath.Join(tempDir, "config.json")
-			err = ioutil.WriteFile(configFile, []byte(`{"key2":"value2"}`), 0644)
+			err = ioutil.WriteFile(configFile, []byte(`{"key2":"value2"}`), 0600)
 			Expect(err).NotTo(HaveOccurred())
 
 			By("running command")

pkg/extension/wasmimage/puller.go

@@ -40,8 +40,8 @@ func NewPuller(insecure, useHTTP bool) (*Puller, error) {
 
 	client.Transport = &http.Transport{
 		TLSClientConfig: &tls.Config{
-			// nolint:gosec this option is only enabled when the user specify the insecure flag.
-			InsecureSkipVerify: insecure,
+			// this option is only enabled when the user specify the insecure flag.
+			InsecureSkipVerify: insecure, // nolint:gosec
 		},
 	}
 
@@ -77,7 +77,7 @@ func (p *Puller) Pull(imageRef, imagePath string) (ocispec.Descriptor, error) {
 	}
 	manifest, image, _ := store.Get(layers[0])
 
-	if err := ioutil.WriteFile(imagePath, image, 0755); err != nil {
+	if err := ioutil.WriteFile(imagePath, image, 0600); err != nil {
 		return manifest, fmt.Errorf("failed to write image: %w", err)
 	}
 

pkg/extension/wasmimage/pusher.go

@@ -39,8 +39,8 @@ func NewPusher(insecure, useHTTP bool) (*Pusher, error) {
 	if insecure {
 		client.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{
-				// nolint:gosec this option is only enabled when the user specify the insecure flag.
-				InsecureSkipVerify: true,
+				// this option is only enabled when the user specify the insecure flag.
+				InsecureSkipVerify: true, // nolint:gosec
 			},
 		}
 	}

pkg/extension/workspace/example/runtime/configdir/configdir.go

@@ -194,7 +194,7 @@ func (d *configDir) writeFile(fileName string, data []byte) error {
 	if err := osutil.EnsureDirExists(filepath.Dir(outputFile)); err != nil {
 		return err
 	}
-	if err := ioutil.WriteFile(outputFile, data, 0644); err != nil {
+	if err := ioutil.WriteFile(outputFile, data, 0600); err != nil {
 		return errors.Wrapf(err, "failed to write config file to %q", outputFile)
 	}
 	return nil

pkg/extension/workspace/fs/types.go

@@ -57,7 +57,7 @@ func (d workspaceDir) WriteFile(path string, data []byte) error {
 	if err := osutil.EnsureDirExists(filepath.Dir(path)); err != nil {
 		return err
 	}
-	return ioutil.WriteFile(path, data, 0644)
+	return ioutil.WriteFile(path, data, 0600)
 }
 
 func (d workspaceDir) HasDir(path string) (bool, error) {