Skip to content

Commit

Permalink
feat: workflow to verify security using GoSec (#747)
Browse files Browse the repository at this point in the history
* feat: workflow to valid security using GoSec

* Update security.yml

* Fix gosec problems

These are all either false positives or os.Open operations done on
filenames supplied by the fasthttp user which we have to assume is safe.

* Just ignore some rules globally

* Fix more warnings

* No more warnings

Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
  • Loading branch information
renanbastos93 and erikdubbelboer authored Feb 28, 2020
1 parent b9d2e96 commit 695f713
Show file tree
Hide file tree
Showing 5 changed files with 25 additions and 30 deletions.
18 changes: 18 additions & 0 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
on: [push, pull_request]
name: Security
jobs:
test:
strategy:
matrix:
go-version: [1.13.x, 1.14.x]
platform: [ubuntu-latest]
runs-on: ${{ matrix.platform }}
steps:
- name: Install Go
uses: actions/setup-go@v1
with:
go-version: ${{ matrix.go-version }}
- name: Checkout code
uses: actions/checkout@v2
- name: Security
run: go get github.com/securego/gosec/cmd/gosec; `go env GOPATH`/bin/gosec -exclude=G104,G304 ./...
3 changes: 3 additions & 0 deletions bytesconv.go
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,7 @@ func lowercaseBytes(b []byte) {
// Note it may break if string and/or slice header will change
// in the future go versions.
func b2s(b []byte) string {
/* #nosec G103 */
return *(*string)(unsafe.Pointer(&b))
}

Expand All @@ -338,7 +339,9 @@ func b2s(b []byte) string {
// Note it may break if string and/or slice header will change
// in the future go versions.
func s2b(s string) (b []byte) {
/* #nosec G103 */
bh := (*reflect.SliceHeader)(unsafe.Pointer(&b))
/* #nosec G103 */
sh := *(*reflect.StringHeader)(unsafe.Pointer(&s))
bh.Data = sh.Data
bh.Len = sh.Len
Expand Down
29 changes: 1 addition & 28 deletions client.go
Original file line number Diff line number Diff line change
Expand Up @@ -1506,34 +1506,7 @@ func newClientTLSConfig(c *tls.Config, addr string) *tls.Config {
if c == nil {
c = &tls.Config{}
} else {
// TODO: substitute this with c.Clone() after go1.8 becomes mainstream :)
c = &tls.Config{
Rand: c.Rand,
Time: c.Time,
Certificates: c.Certificates,
NameToCertificate: c.NameToCertificate,
GetCertificate: c.GetCertificate,
RootCAs: c.RootCAs,
NextProtos: c.NextProtos,
ServerName: c.ServerName,

// Do not copy ClientAuth, since it is server-related stuff
// Do not copy ClientCAs, since it is server-related stuff

InsecureSkipVerify: c.InsecureSkipVerify,
CipherSuites: c.CipherSuites,

// Do not copy PreferServerCipherSuites - this is server stuff

SessionTicketsDisabled: c.SessionTicketsDisabled,

// Do not copy SessionTicketKey - this is server stuff

ClientSessionCache: c.ClientSessionCache,
MinVersion: c.MinVersion,
MaxVersion: c.MaxVersion,
CurvePreferences: c.CurvePreferences,
}
c = c.Clone()
}

if c.ClientSessionCache == nil {
Expand Down
4 changes: 2 additions & 2 deletions fasthttputil/inmemory_listener.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,8 @@ func (ln *InmemoryListener) Dial() (net.Conn, error) {
// Wait until the connection has been accepted.
<-accepted
} else {
sConn.Close()
cConn.Close()
sConn.Close() //nolint:errcheck
cConn.Close() //nolint:errcheck
cConn = nil
}
ln.lock.Unlock()
Expand Down
1 change: 1 addition & 0 deletions prefork/prefork.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ func (p *Prefork) prefork(addr string) error {
}

for i := 0; i < runtime.GOMAXPROCS(0); i++ {
/* #nosec G204 */
cmd := exec.Command(os.Args[0], append(os.Args[1:], preforkChildFlag)...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
Expand Down

0 comments on commit 695f713

Please sign in to comment.