gosec: handle warnings

All medium and high gosec warnings are handled. This was mostly 0600 file permissions, filepath.Clean(), or annotating other conditions.
billgraziano · Aug 7, 2022 · a7410c6 · a7410c6
1 parent 1be883a
commit a7410c6
Show file tree

Hide file tree

Showing 9 changed files with 16 additions and 15 deletions.
diff --git a/cmd/readfast/main.go b/cmd/readfast/main.go
@@ -87,7 +87,7 @@ func run(server, session string, maxRows int, parse, format bool) {
 	log.Info(fmt.Sprintf("session: %s (%s)", xeSession.Name, xeSession.WildCard))
 	query := fmt.Sprintf("SELECT object_name, event_data, file_name, file_offset FROM sys.fn_xe_file_target_read_file('%s', NULL, NULL, NULL);", xeSession.WildCard)
 	start := time.Now()
-	rows, err := info.DB.Query(query)
+	rows, err := info.DB.Query(query) // #nosec G201 -- string doeesn't come from user
 	if err != nil {
 		log.Fatal(err)
 	}

diff --git a/cmd/tcpserver/main.go b/cmd/tcpserver/main.go
@@ -70,7 +70,7 @@ func main() {
 
 	var connCount int
 
-	l, err := net.Listen("tcp", listen)
+	l, err := net.Listen("tcp", listen) //#nosec G102 -- dev server only
 	if err != nil {
 		log.Fatal(err)
 	}

diff --git a/cmd/xelogstash/main_app.go b/cmd/xelogstash/main_app.go
@@ -12,7 +12,7 @@ import (
 	_ "expvar"
 	"fmt"
 	"net/http"
-	_ "net/http/pprof"
+	_ "net/http/pprof" //#nosec G108 -- pprof only exposed on localhost if http_metrics is true
 	"runtime"
 	"time"
 

diff --git a/cmd/xeparse/main.go b/cmd/xeparse/main.go
@@ -51,11 +51,12 @@ func main() {
 
 	for _, f := range files {
 		fi := filepath.Join(dirname, f.Name())
+		fi = filepath.Clean(fi)
 		if filepath.Ext(fi) != ".xml" {
 			continue
 		}
 		log.Info("file:", fi)
-		b, err := ioutil.ReadFile(fi)
+		b, err := ioutil.ReadFile(fi) //#nosec G304 -- file doesn't come from user input 
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -87,7 +88,7 @@ func main() {
 		basefile := strings.TrimSuffix(fi, filepath.Ext(fi))
 		newfile := basefile + ".json"
 		//outfile := filepath.Join(dirname, newfile)
-		err = ioutil.WriteFile(newfile, out.Bytes(), 0666)
+		err = ioutil.WriteFile(newfile, out.Bytes(), 0600)
 		if err != nil {
 			log.Fatal(err)
 		}

diff --git a/pkg/app/process_session.go b/pkg/app/process_session.go
@@ -177,7 +177,7 @@ func (p *Program) processSession(
 		if err != nil {
 			log.Error(errors.Wrap(err, "xe.parse"))
 			if source.LogBadXML {
-				err = ioutil.WriteFile("bad_xml.log", []byte(eventData), 0666)
+				err = ioutil.WriteFile("bad_xml.log", []byte(eventData), 0600)
 				if err != nil {
 					log.Error(errors.Wrap(err, "write bad xml: ioutil.writefile"))
 				}

diff --git a/pkg/app/program.go b/pkg/app/program.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"math/rand"
 	"net/http"
-	_ "net/http/pprof" // pprof
+	_ "net/http/pprof" //#nosec G108 -- pprof only exposed on localhost if http_metrics is true
 	"runtime"
 	"time"
 

diff --git a/pkg/sink/sink_file.go b/pkg/sink/sink_file.go
@@ -117,7 +117,7 @@ func (fs *FileSink) open(id string) error {
 	}
 
 	fqfile := filepath.Join(eventDir, fileName)
-	lf, err := os.OpenFile(fqfile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644)
+	lf, err := os.OpenFile(filepath.Clean(fqfile), os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600)
 	if err != nil {
 		return errors.Wrap(err, "os.openfile")
 	}

diff --git a/pkg/status/status.go b/pkg/status/status.go
@@ -182,7 +182,7 @@ func (f *File) GetOffset() (fileName string, offset int64, xestatus string, err
 	var fp *os.File
 	_, err = os.Stat(f.Name)
 	if os.IsNotExist(err) {
-		fp, err = os.OpenFile(f.Name, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0666)
+		fp, err = os.OpenFile(f.Name, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
 		if err != nil {
 			return "", 0, StateReset, errors.Wrap(err, "create")
 		}
@@ -192,7 +192,7 @@ func (f *File) GetOffset() (fileName string, offset int64, xestatus string, err
 		return "", 0, StateReset, errors.Wrap(err, "stat")
 	}
 
-	readonly, err := os.OpenFile(f.Name, os.O_RDONLY, 0666)
+	readonly, err := os.OpenFile(f.Name, os.O_RDONLY, 0600)
 	if err != nil {
 		return "", 0, StateReset, errors.Wrap(err, "openreadonly")
 	}
@@ -227,7 +227,7 @@ func (f *File) GetOffset() (fileName string, offset int64, xestatus string, err
 	}
 
 	// TODO close & reopen the file
-	fp, err = os.OpenFile(f.Name, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0666)
+	fp, err = os.OpenFile(f.Name, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
 	if err != nil {
 		return "", 0, StateReset, errors.Wrap(err, "openappend")
 	}
@@ -340,7 +340,7 @@ func (f *File) Done(xeFileName string, offset int64, xestatus string) error {
 	}
 
 	// Write the new file
-	newStatusFile, err := os.OpenFile(f.Name, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0666)
+	newStatusFile, err := os.OpenFile(f.Name, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0600)
 	if err != nil {
 		return errors.Wrap(err, "create")
 	}

diff --git a/pkg/summary/summary.go b/pkg/summary/summary.go
@@ -118,13 +118,13 @@ func PrintSamples() error {
 		return errors.Wrap(err, "os.executable")
 	}
 	exeDir := filepath.Dir(executable)
-	fileName := filepath.Join(exeDir, "samples.xe.json")
+	fileName := filepath.Clean(filepath.Join(exeDir, "samples.xe.json"))
 
-	file, err := os.OpenFile(fileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0666)
+	file, err := os.OpenFile(fileName, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return errors.Wrap(err, "os.openfile")
 	}
-	defer file.Close()
+	defer file.Close() //#nosec G307
 
 	for _, v := range results {
 		//json, err := json.Unmarshal(v.Sample)