Fix static analysis issues #480
Conversation
qbft/spectest/generate/main.go
Outdated
| @@ -92,7 +93,7 @@ func writeJsonStateComparison(name, testType string, post interface{}) { | |||
|
|
|||
| file := filepath.Join(scDir, fmt.Sprintf("%s.json", name)) | |||
| log.Printf("writing state comparison json: %s\n", file) | |||
| if err := os.WriteFile(file, byts, 0644); err != nil { | |||
| if err := os.WriteFile(file, byts, 0600); err != nil { | |||
There was a problem hiding this comment.
I would update to 0444
The reason is that we don't want anyone writing to the file, to make tests pass/fail.
There's nothing confidential here so might as well let everyone read
There was a problem hiding this comment.
Yup, I agree
There was a problem hiding this comment.
Actually, gosec still complains about 0444:
G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
Can't it be 0400? Why do we need to allow "read" for group and others?
There was a problem hiding this comment.
hmm
if CI passes then it can be 0400 honestly
I just think that there is no confidential information and the SSV repo generate jsons itself.
I just saw no sec concern so you can choose
There was a problem hiding this comment.
I also don't see security concerns, but gosec complains and I also don't see a reason for the group and others read permission.
Updating it to 0400
qbft/spectest/generate/main.go
Outdated
| @@ -119,7 +120,7 @@ func writeJson(data []byte) { | |||
|
|
|||
| file := filepath.Join(basedir, "tests.json") | |||
| log.Printf("writing spec tests json to: %s\n", file) | |||
| if err := os.WriteFile(file, data, 0644); err != nil { | |||
| if err := os.WriteFile(file, data, 0600); err != nil { | |||
ssv/spectest/generate/main.go
Outdated
| @@ -112,7 +113,7 @@ func writeSingleSCJson(path string, testType string, post interface{}) { | |||
| } | |||
|
|
|||
| log.Printf("writing state comparison json: %s\n", file) | |||
| if err := os.WriteFile(file, byts, 0644); err != nil { | |||
| if err := os.WriteFile(file, byts, 0444); err != nil { | |||
ssv/spectest/generate/main.go
Outdated
| @@ -156,7 +157,7 @@ func writeJson(data []byte) { | |||
| } | |||
|
|
|||
| // Write the gzipped data to a file | |||
| if err := os.WriteFile(file, buf.Bytes(), 0644); err != nil { | |||
| if err := os.WriteFile(file, buf.Bytes(), 0444); err != nil { | |||
types/spectest/generate/main.go
Outdated
| @@ -108,7 +109,7 @@ func writeJson(data []byte) { | |||
| file := filepath.Join(basedir, "tests.json") | |||
|
|
|||
| fmt.Printf("writing spec tests json to: %s\n", file) | |||
| if err := os.WriteFile(file, data, 0644); err != nil { | |||
| if err := os.WriteFile(file, data, 0444); err != nil { | |||
* Solve potential file inclusion via variable * Fix file permission (0644 to 0600) * Add nosec comment for PRNG (pseudo-random number generator) used for testing * Fix lint issue on nil check in []byte type * Update permission from 0444 to 0600 * Update 0444 to 0400
Overview
This PR adds fixes for static analysis issues including:
It also adds a
noseccomment for a cryptographically insecure PRNG (pseudo-random number generator) used in tests. We use this PRNG (math/rand) since the securecrypto/randdoesn't allow seeding (which is important for consistent tests).An existing issue with implicit memory aliasing in a for loop will be automatically fixed by the go update to 1.22.