From d66da4d8b85c0c0d37206aa407acf6232c4fb14b Mon Sep 17 00:00:00 2001 From: Jan Fuhrer Date: Wed, 19 Jun 2024 13:54:04 +0200 Subject: [PATCH] security: fix security alerts of gosec --- .github/workflows/codeql.yml | 2 +- .github/workflows/gosec.yml | 2 +- go.mod | 2 +- main.go | 25 +++++++++++++++++++------ 4 files changed, 22 insertions(+), 9 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 002230d..2cd0508 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,7 +49,7 @@ jobs: - if: matrix.build-mode == 'manual' env: # fix "go: download go1.22 for linux/amd64: toolchain not available" error - GOTOOLCHAIN: "go1.22.2" + GOTOOLCHAIN: "go1.22.4" run: | make go-build diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml index 62b5d24..b3d90d7 100644 --- a/.github/workflows/gosec.yml +++ b/.github/workflows/gosec.yml @@ -24,7 +24,7 @@ jobs: persist-credentials: false - name: Run Gosec Security Scanner env: - GOTOOLCHAIN: "go1.22.2" + GOTOOLCHAIN: "go1.22.4" uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 # v2.20.0 with: args: ./... diff --git a/go.mod b/go.mod index f1739e1..3be531f 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/natrontech/pbs-exporter -go 1.22.2 +go 1.22.4 require github.com/prometheus/client_golang v1.19.1 diff --git a/main.go b/main.go index 157788d..5a1be4d 100644 --- a/main.go +++ b/main.go @@ -10,6 +10,7 @@ import ( "log" "net/http" "os" + "path/filepath" "regexp" "strconv" "time" @@ -30,7 +31,9 @@ var BuildTime = "unknown" var ( tr = &http.Transport{ - TLSClientConfig: &tls.Config{}, + TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, + }, } client = &http.Client{ Transport: tr, @@ -239,7 +242,7 @@ type Exporter struct { } func ReadSecretFile(secretfilename string) string { - file, err := os.Open(secretfilename) + file, err := os.Open(filepath.Clean(secretfilename)) // flag to check the file format if err != nil { log.Fatal(err) @@ -327,7 +330,9 @@ func (e *Exporter) collectFromAPI(ch chan<- prometheus.Metric) error { } body, err := io.ReadAll(resp.Body) - resp.Body.Close() + if err := resp.Body.Close(); err != nil { + log.Printf("Error closing response body: %v", err) + } if err != nil { return err } @@ -392,7 +397,9 @@ func (e *Exporter) getNodeMetrics(ch chan<- prometheus.Metric) error { } body, err := io.ReadAll(resp.Body) - resp.Body.Close() + if err := resp.Body.Close(); err != nil { + log.Printf("Error closing response body: %v", err) + } if err != nil { return err } @@ -507,7 +514,9 @@ func (e *Exporter) getDatastoreMetric(datastore Datastore, ch chan<- prometheus. } body, err := io.ReadAll(resp.Body) - resp.Body.Close() + if err := resp.Body.Close(); err != nil { + log.Printf("Error closing response body: %v", err) + } if err != nil { return err } @@ -580,7 +589,9 @@ func (e *Exporter) getNamespaceMetric(datastore string, namespace string, ch cha } body, err := io.ReadAll(resp.Body) - resp.Body.Close() + if err := resp.Body.Close(); err != nil { + log.Printf("Error closing response body: %v", err) + } if err != nil { return err } @@ -792,5 +803,7 @@ func main() { log.Printf("ERROR: Failed to write response: %s", err) } }) + + http.DefaultClient.Timeout = time.Second * 10 log.Fatal(http.ListenAndServe(*listenAddress, nil)) }