Fix gosec warnings (#224)

* Clean path before openning files Signed-off-by: thepetk <[email protected]> * Add defer with error handling Signed-off-by: thepetk <[email protected]> * Add error handling for unmarshalling files Signed-off-by: thepetk <[email protected]> * Fix gosec warning Signed-off-by: thepetk <[email protected]> * Clean filpath for os.open func Signed-off-by: thepetk <[email protected]> --------- Signed-off-by: thepetk <[email protected]>
redhat-developer · Jun 1, 2023 · 58927f6 · 58927f6
1 parent 6947f49
commit 58927f6
Show file tree

Hide file tree

Showing 18 changed files with 134 additions and 96 deletions.
diff --git a/go/pkg/apis/enricher/enricher.go b/go/pkg/apis/enricher/enricher.go
@@ -125,9 +125,16 @@ func GetDefaultProjectName(path string) string {
 func GetPortsFromDockerFile(root string) []int {
 	locations := getLocations(root)
 	for _, location := range locations {
-		file, err := os.Open(filepath.Join(root, location))
+		filePath := filepath.Join(root, location)
+		cleanFilePath := filepath.Clean(filePath)
+		file, err := os.Open(cleanFilePath)
 		if err == nil {
-			defer file.Close()
+			defer func() error {
+				if err := file.Close(); err != nil {
+					return fmt.Errorf("error closing file: %s", err)
+				}
+				return nil
+			}()
 			return getPortsFromReader(file)
 		}
 	}

diff --git a/go/pkg/apis/enricher/framework/dotnet/dotnet_detector.go b/go/pkg/apis/enricher/framework/dotnet/dotnet_detector.go
@@ -14,8 +14,10 @@ package enricher
 import (
 	"context"
 	"encoding/xml"
+	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/redhat-developer/alizer/go/pkg/apis/model"
@@ -53,16 +55,24 @@ func (d DotNetDetector) DoPortsDetection(component *model.Component, ctx *contex
 }
 
 func getFrameworks(configFilePath string) string {
-	xmlFile, err := os.Open(configFilePath)
+	cleanConfigPath := filepath.Clean(configFilePath)
+	xmlFile, err := os.Open(cleanConfigPath)
 	if err != nil {
 		return ""
 	}
 	byteValue, _ := ioutil.ReadAll(xmlFile)
 
 	var proj schema.DotNetProject
-	xml.Unmarshal(byteValue, &proj)
-
-	defer xmlFile.Close()
+	err = xml.Unmarshal(byteValue, &proj)
+	if err != nil {
+		return ""
+	}
+	defer func() error {
+		if err := xmlFile.Close(); err != nil {
+			return fmt.Errorf("error closing file: %s", err)
+		}
+		return nil
+	}()
 	if proj.PropertyGroup.TargetFramework != "" {
 		return proj.PropertyGroup.TargetFramework
 	} else if proj.PropertyGroup.TargetFrameworkVersion != "" {

diff --git a/go/pkg/apis/enricher/framework/go/echo_detector.go b/go/pkg/apis/enricher/framework/go/echo_detector.go
@@ -13,7 +13,6 @@ package enricher
 
 import (
 	"context"
-	"os"
 	"regexp"
 
 	"github.com/redhat-developer/alizer/go/pkg/apis/model"
@@ -59,16 +58,8 @@ func (e EchoDetector) DoPortsDetection(component *model.Component, ctx *context.
 		},
 	}
 
-	for _, file := range files {
-		bytes, err := os.ReadFile(file)
-		if err != nil {
-			continue
-		}
-		ports := GetPortFromFileGo(matchRegexRules, string(bytes))
-		if len(ports) > 0 {
-			component.Ports = ports
-			return
-		}
+	ports := GetPortFromFilesGo(matchRegexRules, files)
+	if len(ports) > 0 {
+		component.Ports = ports
 	}
-
 }
diff --git a/go/pkg/apis/enricher/framework/go/fasthttp_detector.go b/go/pkg/apis/enricher/framework/go/fasthttp_detector.go
@@ -13,7 +13,6 @@ package enricher
 
 import (
 	"context"
-	"os"
 	"regexp"
 
 	"github.com/redhat-developer/alizer/go/pkg/apis/model"
@@ -40,24 +39,16 @@ func (f FastHttpDetector) DoPortsDetection(component *model.Component, ctx *cont
 		return
 	}
 
-	matchRegexRule := model.PortMatchRules{
+	matchRegexRules := model.PortMatchRules{
 		MatchIndexRegexes: []model.PortMatchRule{
 			{
 				Regex:     regexp.MustCompile(`.ListenAndServe\([^,)]*`),
 				ToReplace: ".ListenAndServe(",
 			},
 		},
 	}
-	for _, file := range files {
-		bytes, err := os.ReadFile(file)
-		if err != nil {
-			continue
-		}
-		ports := GetPortFromFileGo(matchRegexRule, string(bytes))
-		if len(ports) > 0 {
-			component.Ports = ports
-			return
-		}
+	ports := GetPortFromFilesGo(matchRegexRules, files)
+	if len(ports) > 0 {
+		component.Ports = ports
 	}
-
 }
diff --git a/go/pkg/apis/enricher/framework/go/gin_detector.go b/go/pkg/apis/enricher/framework/go/gin_detector.go
@@ -13,7 +13,6 @@ package enricher
 
 import (
 	"context"
-	"os"
 	"regexp"
 
 	"github.com/redhat-developer/alizer/go/pkg/apis/model"
@@ -40,7 +39,7 @@ func (g GinDetector) DoPortsDetection(component *model.Component, ctx *context.C
 		return
 	}
 
-	matchRegexRule := model.PortMatchRules{
+	matchRegexRules := model.PortMatchRules{
 		MatchIndexRegexes: []model.PortMatchRule{
 			{
 				Regex:     regexp.MustCompile(`.Run\(([^,)]*)`),
@@ -49,15 +48,8 @@ func (g GinDetector) DoPortsDetection(component *model.Component, ctx *context.C
 		},
 	}
 
-	for _, file := range files {
-		bytes, err := os.ReadFile(file)
-		if err != nil {
-			continue
-		}
-		ports := GetPortFromFileGo(matchRegexRule, string(bytes))
-		if len(ports) > 0 {
-			component.Ports = ports
-			return
-		}
+	ports := GetPortFromFilesGo(matchRegexRules, files)
+	if len(ports) > 0 {
+		component.Ports = ports
 	}
 }
diff --git a/go/pkg/apis/enricher/framework/go/go_detector.go b/go/pkg/apis/enricher/framework/go/go_detector.go
@@ -14,6 +14,7 @@ package enricher
 import (
 	"context"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -57,16 +58,9 @@ func DoGoPortsDetection(component *model.Component, ctx *context.Context) {
 		},
 	}
 
-	for _, file := range files {
-		bytes, err := os.ReadFile(file)
-		if err != nil {
-			continue
-		}
-		ports := GetPortFromFileGo(matchRegexRules, string(bytes))
-		if len(ports) > 0 {
-			component.Ports = ports
-			return
-		}
+	ports := GetPortFromFilesGo(matchRegexRules, files)
+	if len(ports) > 0 {
+		component.Ports = ports
 	}
 }
 
@@ -134,3 +128,20 @@ func GetPortWithMatchIndexesGo(content string, matchIndexes []int, toBeReplaced
 
 	return -1
 }
+
+// GetPortFromFilesGo loops through a list of paths and tries to find a port matching the
+// given set PortMatchRules
+func GetPortFromFilesGo(matchRegexRules model.PortMatchRules, files []string) []int {
+	for _, file := range files {
+		cleanFile := filepath.Clean(file)
+		bytes, err := os.ReadFile(cleanFile)
+		if err != nil {
+			continue
+		}
+		ports := GetPortFromFileGo(matchRegexRules, string(bytes))
+		if len(ports) > 0 {
+			return ports
+		}
+	}
+	return []int{}
+}
diff --git a/go/pkg/apis/enricher/framework/go/gofiber_detector.go b/go/pkg/apis/enricher/framework/go/gofiber_detector.go
@@ -13,7 +13,6 @@ package enricher
 
 import (
 	"context"
-	"os"
 	"regexp"
 
 	"github.com/redhat-developer/alizer/go/pkg/apis/model"
@@ -40,23 +39,16 @@ func (g GoFiberDetector) DoPortsDetection(component *model.Component, ctx *conte
 		return
 	}
 
-	matchRegexRule := model.PortMatchRules{
+	matchRegexRules := model.PortMatchRules{
 		MatchIndexRegexes: []model.PortMatchRule{
 			{
 				Regex:     regexp.MustCompile(`.Listen\(([^,)]*)`),
 				ToReplace: ".Listen(",
 			},
 		},
 	}
-	for _, file := range files {
-		bytes, err := os.ReadFile(file)
-		if err != nil {
-			continue
-		}
-		ports := GetPortFromFileGo(matchRegexRule, string(bytes))
-		if len(ports) > 0 {
-			component.Ports = ports
-			return
-		}
+	ports := GetPortFromFilesGo(matchRegexRules, files)
+	if len(ports) > 0 {
+		component.Ports = ports
 	}
 }
diff --git a/go/pkg/apis/enricher/framework/go/mux_detector.go b/go/pkg/apis/enricher/framework/go/mux_detector.go
@@ -13,7 +13,6 @@ package enricher
 
 import (
 	"context"
-	"os"
 	"regexp"
 
 	"github.com/redhat-developer/alizer/go/pkg/apis/model"
@@ -55,15 +54,8 @@ func (m MuxDetector) DoPortsDetection(component *model.Component, ctx *context.C
 		},
 	}
 
-	for _, file := range files {
-		bytes, err := os.ReadFile(file)
-		if err != nil {
-			continue
-		}
-		ports := GetPortFromFileGo(matchRegexRules, string(bytes))
-		if len(ports) > 0 {
-			component.Ports = ports
-			return
-		}
+	ports := GetPortFromFilesGo(matchRegexRules, files)
+	if len(ports) > 0 {
+		component.Ports = ports
 	}
 }
diff --git a/go/pkg/apis/enricher/framework/java/micronaut_detector.go b/go/pkg/apis/enricher/framework/java/micronaut_detector.go
@@ -76,7 +76,10 @@ func (m MicronautDetector) DoPortsDetection(component *model.Component, ctx *con
 func getMicronautPortsFromBytes(bytes []byte) []int {
 	var ports []int
 	var data MicronautApplicationProps
-	yaml.Unmarshal(bytes, &data)
+	err := yaml.Unmarshal(bytes, &data)
+	if err != nil {
+		return []int{}
+	}
 	if data.Micronaut.Server.SSL.Enabled && utils.IsValidPort(data.Micronaut.Server.SSL.Port) {
 		ports = append(ports, data.Micronaut.Server.SSL.Port)
 	}

diff --git a/go/pkg/apis/enricher/framework/java/openliberty_detector.go b/go/pkg/apis/enricher/framework/java/openliberty_detector.go
@@ -55,7 +55,10 @@ func (o OpenLibertyDetector) DoPortsDetection(component *model.Component, ctx *c
 		return
 	}
 	var data ServerXml
-	xml.Unmarshal(bytes, &data)
+	err = xml.Unmarshal(bytes, &data)
+	if err != nil {
+		return
+	}
 	ports := utils.GetValidPorts([]string{data.HttpEndpoint.HttpPort, data.HttpEndpoint.HttpsPort})
 	if len(ports) > 0 {
 		component.Ports = ports

diff --git a/go/pkg/apis/enricher/framework/java/quarkus_detector.go b/go/pkg/apis/enricher/framework/java/quarkus_detector.go
@@ -140,7 +140,10 @@ func getServerPortsFromQuarkusApplicationYamlFile(file string) ([]int, error) {
 		return []int{}, err
 	}
 	var data QuarkusApplicationYaml
-	yaml.Unmarshal(yamlFile, &data)
+	err = yaml.Unmarshal(yamlFile, &data)
+	if err != nil {
+		return []int{}, err
+	}
 	var ports []int
 	if data.Quarkus.Http.SSLPort > 0 {
 		ports = append(ports, data.Quarkus.Http.SSLPort)

diff --git a/go/pkg/apis/enricher/framework/java/spring_detector.go b/go/pkg/apis/enricher/framework/java/spring_detector.go
@@ -127,7 +127,10 @@ func getServerPortsFromYamlFile(file string) ([]int, error) {
 		return []int{}, err
 	}
 	var data ApplicationProsServer
-	yaml.Unmarshal(yamlFile, &data)
+	err = yaml.Unmarshal(yamlFile, &data)
+	if err != nil {
+		return []int{}, err
+	}
 	var ports []int
 	if data.Server.Port > 0 {
 		ports = append(ports, data.Server.Port)

diff --git a/go/pkg/apis/enricher/framework/javascript/nodejs/express_detector.go b/go/pkg/apis/enricher/framework/javascript/nodejs/express_detector.go
@@ -14,6 +14,7 @@ package enricher
 import (
 	"context"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strings"
 
@@ -43,7 +44,8 @@ func (e ExpressDetector) DoPortsDetection(component *model.Component, ctx *conte
 	re := regexp.MustCompile(`\.listen\([^,)]*`)
 	var ports []int
 	for _, file := range files {
-		bytes, err := os.ReadFile(file)
+		cleanFile := filepath.Clean(file)
+		bytes, err := os.ReadFile(cleanFile)
 		if err != nil {
 			continue
 		}

diff --git a/go/pkg/apis/enricher/java_enricher.go b/go/pkg/apis/enricher/java_enricher.go
@@ -107,7 +107,8 @@ func getProjectNameGradle(root string) string {
 	settingsGradlePath := filepath.Join(root, "settings.gradle")
 	if _, err := os.Stat(settingsGradlePath); err == nil {
 		re := regexp.MustCompile(`rootProject.name\s*=\s*(.*)`)
-		bytes, err := os.ReadFile(settingsGradlePath)
+		cleanSettingsGradlePath := filepath.Clean(settingsGradlePath)
+		bytes, err := os.ReadFile(cleanSettingsGradlePath)
 		if err != nil {
 			return ""
 		}

diff --git a/go/pkg/apis/recognizer/devfile_recognizer.go b/go/pkg/apis/recognizer/devfile_recognizer.go
@@ -15,6 +15,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"net/http"
 	"regexp"
@@ -138,7 +139,12 @@ func downloadDevFileTypesFromRegistry(url string) ([]model.DevFileType, error) {
 			return []model.DevFileType{}, err
 		}
 	}
-	defer resp.Body.Close()
+	defer func() error {
+		if err := resp.Body.Close(); err != nil {
+			return fmt.Errorf("error closing file: %s", err)
+		}
+		return nil
+	}()
 
 	// Check server response
 	if resp.StatusCode != http.StatusOK {