diff --git a/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib.go b/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib.go index 0522f9b1..82d372bb 100644 --- a/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib.go +++ b/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib.go @@ -107,7 +107,10 @@ func LoadWrapperConfig(bytes []byte) (*WrapperConfig, error) { return nil, fmt.Errorf("invalid outbound connection rate") } - validator.Validate(n) + err := validator.Validate(n) + if err != nil { + return nil, fmt.Errorf("validator: %s", err) + } return n, nil } diff --git a/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib_test.go b/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib_test.go index 3a5c6284..d180c37c 100644 --- a/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib_test.go +++ b/src/code.cloudfoundry.org/cni-wrapper-plugin/lib/lib_test.go @@ -43,7 +43,8 @@ var _ = Describe("LoadWrapperConfig", func() { "burst": 900, "rate_per_sec": 100, "dry_run": false - } + }, + "policy_agent_force_poll_address": "http://127.0.0.1:1234" }`) }) @@ -59,6 +60,7 @@ var _ = Describe("LoadWrapperConfig", func() { NoMasqueradeCIDRRange: "10.255.0.0/16", UnderlayIPs: []string{"10.244.20.1", "10.244.20.2"}, TemporaryUnderlayInterfaceNames: []string{"some-temporary-underlay-interface-name"}, + PolicyAgentForcePollAddress: "http://127.0.0.1:1234", IPTablesASGLogging: true, Delegate: map[string]interface{}{ "cniVersion": "1.0.0", diff --git a/src/code.cloudfoundry.org/cni-wrapper-plugin/main.go b/src/code.cloudfoundry.org/cni-wrapper-plugin/main.go index d104bf12..3b6deef7 100644 --- a/src/code.cloudfoundry.org/cni-wrapper-plugin/main.go +++ b/src/code.cloudfoundry.org/cni-wrapper-plugin/main.go @@ -95,6 +95,7 @@ func cmdAdd(args *skel.CmdArgs) error { } if resp.StatusCode != http.StatusOK { body, _ := io.ReadAll(resp.Body) + // #nosec G104 - don't capture this error, as the one we generate below is more important to return resp.Body.Close() return fmt.Errorf("vpa response code: %v with message: %s", resp.StatusCode, body) } @@ -205,6 +206,7 @@ func cmdAdd(args *skel.CmdArgs) error { if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusMethodNotAllowed { body, _ := io.ReadAll(resp.Body) + // #nosec G104 - don't capture this error, as the one we generate below is more important to return resp.Body.Close() return fmt.Errorf("asg sync returned %v with message: %s", resp.StatusCode, body) } @@ -337,6 +339,7 @@ func cmdDel(args *skel.CmdArgs) error { } if resp.StatusCode != http.StatusOK && resp.StatusCode != http.StatusMethodNotAllowed { body, _ := io.ReadAll(resp.Body) + // #nosec G104 - don't capture this error, as the one we generate below is more important to return resp.Body.Close() return fmt.Errorf("asg cleanup returned %v with message: %s", resp.StatusCode, body) } diff --git a/src/code.cloudfoundry.org/netmon/cmd/netmon/main.go b/src/code.cloudfoundry.org/netmon/cmd/netmon/main.go index 1572497d..1b66704f 100644 --- a/src/code.cloudfoundry.org/netmon/cmd/netmon/main.go +++ b/src/code.cloudfoundry.org/netmon/cmd/netmon/main.go @@ -89,7 +89,10 @@ func main() { IPTablesRunner: iptablesCommandRunner, } - dropsonde.Initialize(conf.MetronAddress, "netmon") + err = dropsonde.Initialize(conf.MetronAddress, "netmon") + if err != nil { + logger.Fatal("failed-initializing-dropsonde", err) + } networkStatsFetcher := network_stats.NewFetcher(lockedIPTables, logger) ruleCountAggregator := network_stats.NewIntAggregator() diff --git a/src/code.cloudfoundry.org/silk-daemon-bootstrap/main.go b/src/code.cloudfoundry.org/silk-daemon-bootstrap/main.go index cd9d8016..f0403004 100644 --- a/src/code.cloudfoundry.org/silk-daemon-bootstrap/main.go +++ b/src/code.cloudfoundry.org/silk-daemon-bootstrap/main.go @@ -72,7 +72,7 @@ func mainWithError() error { } func createNewChain(ipTablesAdapter rules.IPTablesAdapter) error { - // NewChain only returns an error if the chain already exists, so we ignore it :( + // #nosec G104 - NewChain only returns an error if the chain already exists, so we ignore it :( ipTablesAdapter.NewChain("filter", IngressChainName) jumpRule := rules.IPTablesRule{ diff --git a/src/code.cloudfoundry.org/silk-daemon-shutdown/main.go b/src/code.cloudfoundry.org/silk-daemon-shutdown/main.go index ad0b9882..bc48272d 100644 --- a/src/code.cloudfoundry.org/silk-daemon-shutdown/main.go +++ b/src/code.cloudfoundry.org/silk-daemon-shutdown/main.go @@ -142,7 +142,10 @@ func flushAndDeleteChain(lockedIPTables *rules.LockedIPTables) error { } exists, _ := lockedIPTables.Exists("filter", "OUTPUT", jumpRule) if exists { - lockedIPTables.Delete("filter", "OUTPUT", jumpRule) + err := lockedIPTables.Delete("filter", "OUTPUT", jumpRule) + if err != nil { + return err + } } err := lockedIPTables.ClearChain("filter", "istio-ingress") diff --git a/src/code.cloudfoundry.org/silk/cmd/silk-daemon/main.go b/src/code.cloudfoundry.org/silk/cmd/silk-daemon/main.go index bb503c96..14b3e601 100644 --- a/src/code.cloudfoundry.org/silk/cmd/silk-daemon/main.go +++ b/src/code.cloudfoundry.org/silk/cmd/silk-daemon/main.go @@ -265,6 +265,7 @@ func buildHealthCheckServer(healthCheckPort uint16, networkInfo daemon.NetworkIn fmt.Sprintf("127.0.0.1:%d", healthCheckPort), http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write(networkBytes) }), ), nil diff --git a/src/code.cloudfoundry.org/silk/cni/integration/fake_daemon/main.go b/src/code.cloudfoundry.org/silk/cni/integration/fake_daemon/main.go index 2505975f..a95434ba 100644 --- a/src/code.cloudfoundry.org/silk/cni/integration/fake_daemon/main.go +++ b/src/code.cloudfoundry.org/silk/cni/integration/fake_daemon/main.go @@ -29,6 +29,7 @@ func main() { fmt.Sprintf("127.0.0.1:%s", port), http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(code) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(response)) }), ) diff --git a/src/code.cloudfoundry.org/silk/cni/lib/common.go b/src/code.cloudfoundry.org/silk/cni/lib/common.go index abfe021c..77ff2ee1 100644 --- a/src/code.cloudfoundry.org/silk/cni/lib/common.go +++ b/src/code.cloudfoundry.org/silk/cni/lib/common.go @@ -52,6 +52,7 @@ func (s *Common) BasicSetup(deviceName string, local, peer config.DualAddress) e s.Logger.Debug("hardware-addr-set-correctly", lager.Data{"addr": l.Attrs().HardwareAddr.String()}) } + // #nosec G104 - we have tests explicitly checking that we ignore failures here, so don't handle it s.LinkOperations.DisableIPv6(deviceName) if err := s.LinkOperations.StaticNeighborNoARP(link, peer.IP, peer.Hardware); err != nil { diff --git a/src/code.cloudfoundry.org/silk/controller/handlers/lease_acquire.go b/src/code.cloudfoundry.org/silk/controller/handlers/lease_acquire.go index 8e38fad3..f11d74da 100644 --- a/src/code.cloudfoundry.org/silk/controller/handlers/lease_acquire.go +++ b/src/code.cloudfoundry.org/silk/controller/handlers/lease_acquire.go @@ -59,5 +59,6 @@ func (l *LeasesAcquire) ServeHTTP(logger lager.Logger, w http.ResponseWriter, re return } + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write(bytes) } diff --git a/src/code.cloudfoundry.org/silk/controller/handlers/leases_index.go b/src/code.cloudfoundry.org/silk/controller/handlers/leases_index.go index 12ec3398..26ede81b 100644 --- a/src/code.cloudfoundry.org/silk/controller/handlers/leases_index.go +++ b/src/code.cloudfoundry.org/silk/controller/handlers/leases_index.go @@ -38,5 +38,6 @@ func (l *LeasesIndex) ServeHTTP(logger lager.Logger, w http.ResponseWriter, req return } + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write(bytes) } diff --git a/src/code.cloudfoundry.org/silk/controller/handlers/release_lease.go b/src/code.cloudfoundry.org/silk/controller/handlers/release_lease.go index c3154ae3..165c1146 100644 --- a/src/code.cloudfoundry.org/silk/controller/handlers/release_lease.go +++ b/src/code.cloudfoundry.org/silk/controller/handlers/release_lease.go @@ -45,5 +45,6 @@ func (l *ReleaseLease) ServeHTTP(logger lager.Logger, w http.ResponseWriter, req return } + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(`{}`)) } diff --git a/src/code.cloudfoundry.org/silk/controller/handlers/renew_lease.go b/src/code.cloudfoundry.org/silk/controller/handlers/renew_lease.go index 02971b02..d83a48c2 100644 --- a/src/code.cloudfoundry.org/silk/controller/handlers/renew_lease.go +++ b/src/code.cloudfoundry.org/silk/controller/handlers/renew_lease.go @@ -55,5 +55,6 @@ func (l *RenewLease) ServeHTTP(logger lager.Logger, w http.ResponseWriter, req * return } + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte("{}")) } diff --git a/src/code.cloudfoundry.org/silk/testsupport/fakecontroller.go b/src/code.cloudfoundry.org/silk/testsupport/fakecontroller.go index bab2897d..7897cd3d 100644 --- a/src/code.cloudfoundry.org/silk/testsupport/fakecontroller.go +++ b/src/code.cloudfoundry.org/silk/testsupport/fakecontroller.go @@ -49,6 +49,7 @@ func (f *FakeController) ServeHTTP(w http.ResponseWriter, r *http.Request) { } if fakeHandler == nil { w.WriteHeader(http.StatusTeapot) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(`{}`)) return } @@ -61,6 +62,7 @@ func (f *FakeController) ServeHTTP(w http.ResponseWriter, r *http.Request) { fakeHandler.LastRequestBody = bodyBytes responseBytes, _ := json.Marshal(fakeHandler.ResponseBody) w.WriteHeader(fakeHandler.ResponseCode) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write(responseBytes) } diff --git a/src/code.cloudfoundry.org/testsupport/fake_policy_server.go b/src/code.cloudfoundry.org/testsupport/fake_policy_server.go index 0111be5b..d7ec6312 100644 --- a/src/code.cloudfoundry.org/testsupport/fake_policy_server.go +++ b/src/code.cloudfoundry.org/testsupport/fake_policy_server.go @@ -22,6 +22,7 @@ func (f *FakePolicyServer) Start(listenAddr string, tlsConfig *tls.Config) { switch r.URL.Path { case "/networking/v1/internal/tags": w.WriteHeader(http.StatusOK) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(fmt.Sprintf(`{ "id": "some-id", "type": "some-type", diff --git a/src/code.cloudfoundry.org/testsupport/fakecontroller.go b/src/code.cloudfoundry.org/testsupport/fakecontroller.go index 9caff1b9..55865d38 100644 --- a/src/code.cloudfoundry.org/testsupport/fakecontroller.go +++ b/src/code.cloudfoundry.org/testsupport/fakecontroller.go @@ -45,6 +45,7 @@ func (f *FakeController) ServeHTTP(w http.ResponseWriter, r *http.Request) { } if fakeHandler == nil { w.WriteHeader(http.StatusTeapot) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(`{}`)) return } @@ -52,6 +53,7 @@ func (f *FakeController) ServeHTTP(w http.ResponseWriter, r *http.Request) { fakeHandler.LastRequestBody = bodyBytes responseBytes, _ := json.Marshal(fakeHandler.ResponseBody) w.WriteHeader(fakeHandler.ResponseCode) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write(responseBytes) } diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_asg_for_container.go b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_asg_for_container.go index 6cecca9d..591990a7 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_asg_for_container.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_asg_for_container.go @@ -13,6 +13,7 @@ type ForceASGsForContainer struct { func (h *ForceASGsForContainer) ServeHTTP(w http.ResponseWriter, r *http.Request) { if !h.EnableASGSyncing { w.WriteHeader(http.StatusMethodNotAllowed) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte("ASG syncing has been disabled administratively")) return } @@ -20,14 +21,17 @@ func (h *ForceASGsForContainer) ServeHTTP(w http.ResponseWriter, r *http.Request container := r.URL.Query().Get("container") if container == "" { w.WriteHeader(http.StatusBadRequest) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte("no container specified")) return } if err := h.ASGUpdateFunc(container); err != nil { errorMessage := fmt.Sprintf("failed to update asgs for container %s: %s", container, err) w.WriteHeader(http.StatusInternalServerError) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(errorMessage)) return } + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(fmt.Sprintf("updated container %s", container))) } diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_orphaned_asgs_cleanup.go b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_orphaned_asgs_cleanup.go index f4421e3b..cba2c454 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_orphaned_asgs_cleanup.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_orphaned_asgs_cleanup.go @@ -13,6 +13,7 @@ type ForceOrphanedASGsCleanup struct { func (h *ForceOrphanedASGsCleanup) ServeHTTP(w http.ResponseWriter, r *http.Request) { if !h.EnableASGSyncing { w.WriteHeader(http.StatusMethodNotAllowed) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte("ASG syncing has been disabled administratively")) return } @@ -20,15 +21,18 @@ func (h *ForceOrphanedASGsCleanup) ServeHTTP(w http.ResponseWriter, r *http.Requ container := r.URL.Query().Get("container") if container == "" { w.WriteHeader(http.StatusBadRequest) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte("no container specified")) return } if err := h.ASGCleanupFunc(container); err != nil { errorMessage := fmt.Sprintf("failed to cleanup ASGs for container %s: %s", container, err) w.WriteHeader(http.StatusInternalServerError) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(errorMessage)) return } + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(fmt.Sprintf("cleaned up ASGs for container %s", container))) } diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_policy_poll_cycle.go b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_policy_poll_cycle.go index 1f2bfe71..66f03524 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_policy_poll_cycle.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/force_policy_poll_cycle.go @@ -13,6 +13,7 @@ func (h *ForcePolicyPollCycle) ServeHTTP(w http.ResponseWriter, r *http.Request) if err := h.PollCycleFunc(); err != nil { errorMessage := fmt.Sprintf("failed to force policy poll cycle: %s", err) w.WriteHeader(http.StatusInternalServerError) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(errorMessage)) return } diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/iptables_logging.go b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/iptables_logging.go index af36c142..7b6d8136 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/iptables_logging.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/handlers/iptables_logging.go @@ -25,11 +25,13 @@ func (h *IPTablesLogging) ServeHTTP(w http.ResponseWriter, r *http.Request) { err := json.NewDecoder(r.Body).Decode(&bodyStruct) if err != nil { w.WriteHeader(http.StatusBadRequest) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(`{ "error": "decoding request body as json" }`)) return } if bodyStruct.Enabled == nil { w.WriteHeader(http.StatusBadRequest) + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS w.Write([]byte(`{ "error": "missing required key 'enabled'" }`)) return } @@ -40,6 +42,7 @@ func (h *IPTablesLogging) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } + // #nosec G104 - ignore errors when writing HTTP responses so we don't spam our logs during a DoS json.NewEncoder(w).Encode(struct { Enabled bool `json:"enabled"` }{h.LoggingState.IsEnabled()})