diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000000..4a485e07fe --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,18 @@ +on: [push, pull_request] +name: Security +jobs: + test: + strategy: + matrix: + go-version: [1.13.x, 1.14.x] + platform: [ubuntu-latest] + runs-on: ${{ matrix.platform }} + steps: + - name: Install Go + uses: actions/setup-go@v1 + with: + go-version: ${{ matrix.go-version }} + - name: Checkout code + uses: actions/checkout@v2 + - name: Security + run: go get github.com/securego/gosec/cmd/gosec; `go env GOPATH`/bin/gosec -exclude=G104,G304 ./... diff --git a/bytesconv.go b/bytesconv.go index e8fbabbb43..a3b82e221d 100644 --- a/bytesconv.go +++ b/bytesconv.go @@ -330,6 +330,7 @@ func lowercaseBytes(b []byte) { // Note it may break if string and/or slice header will change // in the future go versions. func b2s(b []byte) string { + /* #nosec G103 */ return *(*string)(unsafe.Pointer(&b)) } @@ -338,7 +339,9 @@ func b2s(b []byte) string { // Note it may break if string and/or slice header will change // in the future go versions. func s2b(s string) (b []byte) { + /* #nosec G103 */ bh := (*reflect.SliceHeader)(unsafe.Pointer(&b)) + /* #nosec G103 */ sh := *(*reflect.StringHeader)(unsafe.Pointer(&s)) bh.Data = sh.Data bh.Len = sh.Len diff --git a/client.go b/client.go index 961d6c0519..5f63f0963d 100644 --- a/client.go +++ b/client.go @@ -1506,34 +1506,7 @@ func newClientTLSConfig(c *tls.Config, addr string) *tls.Config { if c == nil { c = &tls.Config{} } else { - // TODO: substitute this with c.Clone() after go1.8 becomes mainstream :) - c = &tls.Config{ - Rand: c.Rand, - Time: c.Time, - Certificates: c.Certificates, - NameToCertificate: c.NameToCertificate, - GetCertificate: c.GetCertificate, - RootCAs: c.RootCAs, - NextProtos: c.NextProtos, - ServerName: c.ServerName, - - // Do not copy ClientAuth, since it is server-related stuff - // Do not copy ClientCAs, since it is server-related stuff - - InsecureSkipVerify: c.InsecureSkipVerify, - CipherSuites: c.CipherSuites, - - // Do not copy PreferServerCipherSuites - this is server stuff - - SessionTicketsDisabled: c.SessionTicketsDisabled, - - // Do not copy SessionTicketKey - this is server stuff - - ClientSessionCache: c.ClientSessionCache, - MinVersion: c.MinVersion, - MaxVersion: c.MaxVersion, - CurvePreferences: c.CurvePreferences, - } + c = c.Clone() } if c.ClientSessionCache == nil { diff --git a/fasthttputil/inmemory_listener.go b/fasthttputil/inmemory_listener.go index 9997d1cc45..87f8b62746 100644 --- a/fasthttputil/inmemory_listener.go +++ b/fasthttputil/inmemory_listener.go @@ -84,8 +84,8 @@ func (ln *InmemoryListener) Dial() (net.Conn, error) { // Wait until the connection has been accepted. <-accepted } else { - sConn.Close() - cConn.Close() + sConn.Close() //nolint:errcheck + cConn.Close() //nolint:errcheck cConn = nil } ln.lock.Unlock() diff --git a/prefork/prefork.go b/prefork/prefork.go index 8fcc842d18..b7a14701d4 100644 --- a/prefork/prefork.go +++ b/prefork/prefork.go @@ -122,6 +122,7 @@ func (p *Prefork) prefork(addr string) error { } for i := 0; i < runtime.GOMAXPROCS(0); i++ { + /* #nosec G204 */ cmd := exec.Command(os.Args[0], append(os.Args[1:], preforkChildFlag)...) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr