Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable gosec as a linter and resolve potential security issues #1259

Merged
merged 2 commits into from
Oct 17, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ linters:
- gofmt
- goimports
- gosimple
- gosec
- govet
- ineffassign
- misspell
Expand Down
14 changes: 8 additions & 6 deletions collectors/metrics/cmd/metrics-collector/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ import (
"errors"
"fmt"
stdlog "log"
"net"
"net/http"
"net/url"
"os"
Expand Down Expand Up @@ -362,21 +361,24 @@ func (o *Options) Run() error {
return worker.Reconfigure(*cfg)
})
handlers.Handle("/federate", serveLastMetrics(o.Logger, worker))
l, err := net.Listen("tcp", o.Listen)
if err != nil {
return fmt.Errorf("failed to listen: %w", err)
s := http.Server{
Addr: o.Listen,
Handler: handlers,
ReadHeaderTimeout: 1 * time.Second,
ReadTimeout: 5 * time.Second,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a good value? Why is the write timeout so much bigger?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tbh, I copied this verbatim from obs API. I think the write timeout was bigger due to Loki stuff there.
Over here, I guess it will be remote write request to Obs API.

But yeah I can make both the same if you want.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm mostly worried about the read timeout being so low than the write timeout being too big. Maybe we could bump the read timeout to something like 15s and the read header one to 5s? 🤔

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

WriteTimeout: 12 * time.Minute,
}

{
// Run the HTTP server.
g.Add(func() error {
if err := http.Serve(l, handlers); err != nil && err != http.ErrServerClosed {
if err := s.ListenAndServe(); err != nil && err != http.ErrServerClosed {
logger.Log(o.Logger, logger.Error, "msg", "server exited unexpectedly", "err", err)
return err
}
return nil
}, func(error) {
err := l.Close()
err := s.Shutdown(context.Background())
if err != nil {
logger.Log(o.Logger, logger.Error, "msg", "failed to close listener", "err", err)
}
Expand Down
2 changes: 1 addition & 1 deletion collectors/metrics/pkg/forwarder/forwarder.go
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ func CreateFromClient(cfg Config, metrics *workerMetrics, interval time.Duration
fromTransport.TLSClientConfig.RootCAs = pool
} else {
if fromTransport.TLSClientConfig == nil {
/* #nosec G402*/
// #nosec G402 -- Only used if no TLS config is provided.
fromTransport.TLSClientConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
InsecureSkipVerify: true,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ import (
)

const (
hubAmAccessorSecretName = "observability-alertmanager-accessor" // #nosec
hubAmAccessorSecretKey = "token"
hubAmAccessorSecretName = "observability-alertmanager-accessor" // #nosec G101 -- Not a hardcoded credential.
hubAmAccessorSecretKey = "token" // #nosec G101 -- Not a hardcoded credential.
hubAmRouterCASecretName = "hub-alertmanager-router-ca"
hubAmRouterCASecretKey = "service-ca.crt"
clusterMonitoringConfigName = "cluster-monitoring-config"
Expand Down
2 changes: 1 addition & 1 deletion operators/endpointmetrics/pkg/util/lease.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
)

const (
leaseName = "observability-controller"
leaseName = "observability-controller" // #nosec G101 -- Not a hardcoded credential.
)

var (
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -561,7 +561,6 @@ func (r *PlacementRuleReconciler) SetupWithManager(mgr ctrl.Manager) error {
"obsAddonName",
e.Object.GetName(),
)
/* #nosec */
if err := removePostponeDeleteAnnotationForManifestwork(c, e.Object.GetNamespace()); err != nil {
log.Error(err, "postpone delete annotation for manifestwork could not be removed")
return false
Expand Down Expand Up @@ -775,7 +774,6 @@ func (r *PlacementRuleReconciler) SetupWithManager(mgr ctrl.Manager) error {
if e.Object.GetName() == config.AlertmanagerAccessorSAName &&
e.Object.GetNamespace() == config.GetDefaultNamespace() {
// wait 10s for access_token of alertmanager and generate the secret that contains the access_token
/* #nosec */
if err := wait.Poll(2*time.Second, 10*time.Second, func() (bool, error) {
var err error
log.Info("generate amAccessorTokenSecret for alertmanager access serviceaccount CREATE")
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ import (
)

const (
addonName = "observability-controller"
addonName = "observability-controller" // #nosec G101 -- Not a hardcoded credential.
resRoleName = "endpoint-observability-res-role"
resRoleBindingName = "endpoint-observability-res-rolebinding"
mcoRoleName = "endpoint-observability-mco-role"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import (
)

const (
addonName = "observability-controller"
addonName = "observability-controller" // #nosec G101 -- Not a hardcoded credential.
agentName = "observability"
)

Expand Down
20 changes: 9 additions & 11 deletions operators/multiclusterobservability/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,15 +71,13 @@ const (
GrafanaCN = "grafana"
ManagedClusterOU = "acm"

GrafanaRouteName = "grafana"
GrafanaServiceName = "grafana"
GrafanaOauthClientName = "grafana-proxy-client"
/* #nosec */
GrafanaOauthClientSecret = "grafana-proxy-client"

AlertmanagerAccessorSAName = "observability-alertmanager-accessor"
/* #nosec */
AlertmanagerAccessorSecretName = "observability-alertmanager-accessor"
GrafanaRouteName = "grafana"
GrafanaServiceName = "grafana"
GrafanaOauthClientName = "grafana-proxy-client" // #nosec G101 -- Not a hardcoded credential.
GrafanaOauthClientSecret = "grafana-proxy-client" // #nosec G101 -- Not a hardcoded credential.

AlertmanagerAccessorSAName = "observability-alertmanager-accessor"
AlertmanagerAccessorSecretName = "observability-alertmanager-accessor" // #nosec G101 -- Not a hardcoded credential.
AlertmanagerServiceName = "alertmanager"
AlertmanagerRouteName = "alertmanager"
AlertmanagerRouteBYOCAName = "alertmanager-byo-ca"
Expand Down Expand Up @@ -136,8 +134,8 @@ const (
MemcachedExporterImgTag = "v0.9.0"

GrafanaImgKey = "grafana"
GrafanaDashboardLoaderName = "grafana-dashboard-loader"
GrafanaDashboardLoaderKey = "grafana_dashboard_loader"
GrafanaDashboardLoaderName = "grafana-dashboard-loader" // #nosec G101 -- Not a hardcoded credential.
GrafanaDashboardLoaderKey = "grafana_dashboard_loader" // #nosec G101 -- Not a hardcoded credential.
GrafanaCustomDashboardLabel = "grafana-custom-dashboard"

AlertManagerImgName = "prometheus-alertmanager"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@ func (r *MCORenderer) renderProxySecret(res *resource.Resource,
return nil, err
}

// #nosec G101 -- Not a hardcoded credential.
if u.GetName() == "rbac-proxy-cookie-secret" {
obj := util.GetK8sObj(u.GetKind())
err = runtime.DefaultUnstructuredConverter.FromUnstructured(u.Object, obj)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
)

const (
ObservabilityController = "observability-controller"
ObservabilityController = "observability-controller" // #nosec G101 -- Not a hardcoded credential.
AddonGroup = "addon.open-cluster-management.io"
AddonDeploymentConfigResource = "addondeploymentconfigs"
grafanaLink = "/d/2b679d600f3b9e7676a7c5ac3643d448/acm-clusters-overview"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
)

const (
ManagedClusterAddonName = "observability-controller"
ManagedClusterAddonName = "observability-controller" // #nosec G101 -- Not a hardcoded credential.
)

var (
Expand Down
2 changes: 1 addition & 1 deletion operators/pkg/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ package config
const (
ClusterNameKey = "cluster-name"
HubInfoSecretName = "hub-info-secret"
HubInfoSecretKey = "hub-info.yaml" // #nosec
HubInfoSecretKey = "hub-info.yaml" // #nosec G101 -- Not a hardcoded credential.
ObservatoriumAPIRemoteWritePath = "/api/metrics/v1/default/api/v1/receive"
AnnotationSkipCreation = "skip-creation-if-exist"

Expand Down
14 changes: 12 additions & 2 deletions proxy/cmd/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"flag"
"net/http"
"os"
"time"

"github.com/spf13/pflag"
k8serrors "k8s.io/apimachinery/pkg/api/errors"
Expand Down Expand Up @@ -84,8 +85,17 @@ func main() {
go util.ScheduleManagedClusterLabelAllowlistResync(kubeClient)
go util.CleanExpiredProjectInfoJob(24 * 60 * 60)

http.HandleFunc("/", proxy.HandleRequestAndRedirect)
if err := http.ListenAndServe(cfg.listenAddress, nil); err != nil {
handlers := http.NewServeMux()
handlers.HandleFunc("/", proxy.HandleRequestAndRedirect)
s := http.Server{
Addr: cfg.listenAddress,
Handler: handlers,
ReadHeaderTimeout: 1 * time.Second,
ReadTimeout: 5 * time.Second,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question about the big difference between read and write timeout.

WriteTimeout: 12 * time.Minute,
}

if err := s.ListenAndServe(); err != nil {
klog.Fatalf("failed to ListenAndServe: %v", err)
}
}
2 changes: 1 addition & 1 deletion tests/pkg/utils/mco_dashboard.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func ContainDashboard(opt TestOptions, title string) (error, bool) {
client := &http.Client{}
if os.Getenv("IS_KIND_ENV") != "true" {
tr := &http.Transport{
// #nosec
// #nosec G402 -- Used in test.
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}

Expand Down
2 changes: 1 addition & 1 deletion tests/pkg/utils/mco_deploy.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ const (
MCO_NAMESPACE = "open-cluster-management-observability"
MCO_ADDON_NAMESPACE = "open-cluster-management-addon-observability"
MCO_PULL_SECRET_NAME = "multiclusterhub-operator-pull-secret"
OBJ_SECRET_NAME = "thanos-object-storage" // #nosec
OBJ_SECRET_NAME = "thanos-object-storage" // #nosec G101 -- Not a hardcoded credential.
MCO_GROUP = "observability.open-cluster-management.io"
OCM_WORK_GROUP = "work.open-cluster-management.io"
OCM_CLUSTER_GROUP = "cluster.open-cluster-management.io"
Expand Down
2 changes: 1 addition & 1 deletion tests/pkg/utils/mco_metric.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ func ContainManagedClusterMetric(opt TestOptions, query string, matchedLabels []
client := &http.Client{}
if os.Getenv("IS_KIND_ENV") != "true" {
tr := &http.Transport{
/* #nosec */
// #nosec G402 -- Only used in test.
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}

Expand Down