fix issues reported by go sec (#9)

babylonlabs-io · Sep 5, 2024 · 878bbfe · 878bbfe
1 parent a69a8ea
commit 878bbfe
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 10 deletions.
diff --git a/btcclient/client.go b/btcclient/client.go
@@ -352,6 +352,6 @@ func (w *BtcClient) BestBlockHeight() (uint32, error) {
 	if err != nil {
 		return 0, err
 	}
-
+	//#nosec G115 -- safe conversion, nubmer of blocks is always positive and less than math.MaxUint32
 	return uint32(count), nil
 }
diff --git a/config/config.go b/config/config.go
@@ -11,6 +11,10 @@ import (
 	"github.com/spf13/viper"
 )
 
+const (
+	folderPermissions = 0750
+)
+
 type Config struct {
 	// TODO: Separate config for signing node and for full node
 	BtcNodeConfig   BtcConfig     `mapstructure:"btc-config"`
@@ -149,7 +153,7 @@ func WriteConfigToFile(pathToConfFile string, conf *Config) error {
 	dirPath, _ := filepath.Split(pathToConfFile)
 
 	if _, err := os.Stat(pathToConfFile); os.IsNotExist(err) {
-		if err := os.MkdirAll(dirPath, os.ModePerm); err != nil {
+		if err := os.MkdirAll(dirPath, folderPermissions); err != nil {
 			return fmt.Errorf("couldn't make config: %v", err)
 		}
 

diff --git a/config/server.go b/config/server.go
@@ -5,9 +5,9 @@ import "time"
 type ServerConfig struct {
 	Host             string `mapstructure:"host"`
 	Port             int    `mapstructure:"port"`
-	WriteTimeout     uint   `mapstructure:"write-timeout"`
-	ReadTimeout      uint   `mapstructure:"read-timeout"`
-	IdleTimeout      uint   `mapstructure:"idle-timeout"`
+	WriteTimeout     uint32 `mapstructure:"write-timeout"`
+	ReadTimeout      uint32 `mapstructure:"read-timeout"`
+	IdleTimeout      uint32 `mapstructure:"idle-timeout"`
 	MaxContentLength uint32 `mapstructure:"max-content-length"`
 }
 

diff --git a/observability/metrics/prometheus.go b/observability/metrics/prometheus.go
@@ -2,15 +2,20 @@ package metrics
 
 import (
 	"net/http"
-	_ "net/http/pprof"
 	"regexp"
+	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/collectors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/rs/zerolog/log"
 )
 
+const (
+	metricRequestTimeout     time.Duration = 15 * time.Second
+	metricRequestIdleTimeout time.Duration = 30 * time.Second
+)
+
 func Start(addr string, reg *prometheus.Registry) {
 	go start(addr, reg)
 }
@@ -22,17 +27,26 @@ func start(addr string, reg *prometheus.Registry) {
 		collectors.WithGoCollectorRuntimeMetrics(collectors.GoRuntimeMetricsRule{Matcher: regexp.MustCompile("/.*")})),
 	)
 
+	mux := http.NewServeMux()
 	// Expose the registered metrics via HTTP.
-	http.Handle("/metrics", promhttp.HandlerFor(
+	mux.Handle("/metrics", promhttp.HandlerFor(
 		reg,
 		promhttp.HandlerOpts{
 			// Opt into OpenMetrics to support exemplars.
 			EnableOpenMetrics: true,
 		},
 	))
 
-	err := http.ListenAndServe(addr, nil)
-	if err != nil {
-		log.Error().Err(err).Msg("failed to start metrics server")
+	server := &http.Server{
+		Addr:         addr,
+		Handler:      mux,
+		ReadTimeout:  metricRequestTimeout,
+		WriteTimeout: metricRequestTimeout,
+		IdleTimeout:  metricRequestIdleTimeout,
+	}
+
+	log.Printf("Starting metrics server on %s", addr)
+	if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		log.Fatal().Err(err).Msgf("Error starting metrics server on %s", addr)
 	}
 }
diff --git a/signerapp/signer.go b/signerapp/signer.go
@@ -156,6 +156,9 @@ func (s *SignerApp) SignUnbondingTransaction(
 
 	stakingOutputIndexFromUnbondingTx := unbondingTx.TxIn[0].PreviousOutPoint.Index
 
+	//#nosec G115 -- safe conversion from int to uint32, as this point we know that
+	// - staking transaction is valid BTC transaction that is part of the BTC ledger
+	// - BTC transactions won't have more that math.MaxUint32 outputs (in reality the max is closer to ~4k output)
 	if stakingOutputIndexFromUnbondingTx != uint32(parsedStakingTransaction.StakingOutputIdx) {
 		return nil, wrapInvalidSigningRequestError(fmt.Errorf("unbonding transaction has invalid input index"))
 	}