go security checks

ca/letsencrypt.go

@@ -130,12 +130,12 @@ func GetLECertificateAndKey(email string, domains []string, httpPort string, tls
 
 	key, cert := letsencryptUser.RequestCertificate()
 
-	err := os.WriteFile("key", key, 0644)
+	err := os.WriteFile("key", key, 0600)
 	if err != nil {
 		logger.Fatalf("error writing file 'key': %+v", err)
 	}
 
-	err = os.WriteFile("cert", cert, 0644)
+	err = os.WriteFile("cert", cert, 0600)
 	if err != nil {
 		logger.Fatalf("error writing file 'cert': %+v", err)
 	}

cli/cli_unix.go

@@ -12,6 +12,9 @@ import (
 
 func RunCMD(cmd string) (string, error) {
 	cmdArray := strings.Split(cmd, " ")
+	// disable G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments
+	// This is intended behaviour
+	// #nosec G204
 	cmdRun := exec.Command(cmdArray[0], cmdArray[1:]...)
 	var stdout, stderr bytes.Buffer
 	cmdRun.Stdout = &stdout

httpserver/filebased.go

@@ -10,6 +10,8 @@ import (
 func (fs *FileServer) findSpecialFile(folder string) (configFile, error) {
 	var config configFile
 
+	// disable G304 (CWE-22): Potential file inclusion via variable
+	// #nosec G304
 	file, err := os.Open(folder)
 	if err != nil {
 		return config, err
@@ -24,6 +26,8 @@ func (fs *FileServer) findSpecialFile(folder string) (configFile, error) {
 		if fi.Name() == ".goshs" {
 			openFile := filepath.Join(file.Name(), fi.Name())
 
+			// disable G304 (CWE-22): Potential file inclusion via variable
+			// #nosec G304
 			configFileDisk, err := os.Open(openFile)
 			if err != nil {
 				return config, err

httpserver/handler.go

@@ -120,7 +120,6 @@ func (fs *FileServer) handler(w http.ResponseWriter, req *http.Request) {
 
 	// Check if you are in a dir
 	// disable G304 (CWE-22): Potential file inclusion via variable
-	// as we want a file inclusion here
 	// #nosec G304
 	file, err := os.Open(open)
 	if os.IsNotExist(err) {
@@ -471,7 +470,10 @@ func (fs *FileServer) deleteFile(w http.ResponseWriter, req *http.Request) {
 	fileCleaned, _ := url.QueryUnescape(upath)
 	if strings.Contains(fileCleaned, "..") {
 		w.WriteHeader(500)
-		w.Write([]byte("Cannot delete file"))
+		_, err := w.Write([]byte("Cannot delete file"))
+		if err != nil {
+			logger.Errorf("error writing answer to client: %+v", err)
+		}
 	}
 
 	deletePath := filepath.Join(fs.Webroot, fileCleaned)

httpserver/server.go

@@ -53,7 +53,11 @@ func (fs *FileServer) Start(what string) {
 	if err != nil {
 		logger.Fatalf("Error binding to listener '%s': %+v", addr, err)
 	}
-	defer listener.Close()
+	defer func() {
+		if err := listener.Close(); err != nil {
+			logger.Errorf("error closing tcp listener: %+v", err)
+		}
+	}()
 
 	// construct server
 	server := http.Server{

httpserver/updown.go

@@ -61,7 +61,6 @@ func (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) {
 
 		// Create file to write to
 		// disable G304 (CWE-22): Potential file inclusion via variable
-		// as we want a file inclusion here
 		// #nosec G304
 		if _, err := os.Create(savepath); err != nil {
 			logger.Errorf("Not able to create file on disk")
@@ -71,11 +70,17 @@ func (fs *FileServer) upload(w http.ResponseWriter, req *http.Request) {
 		// Write file to disk 16MB at a time
 		buffer := make([]byte, 1<<24)
 
+		// disable G304 (CWE-22): Potential file inclusion via variable
+		// #nosec G304
 		osFile, err := os.OpenFile(savepath, os.O_WRONLY|os.O_CREATE, os.ModePerm)
 		if err != nil {
 			logger.Warnf("Error opening file: %+v", err)
 		}
-		defer osFile.Close()
+		defer func() {
+			if err := osFile.Close(); err != nil {
+				logger.Errorf("error closing file: %+v", err)
+			}
+		}()
 
 		for {
 			// Read file from post body
@@ -155,7 +160,6 @@ func (fs *FileServer) bulkDownload(w http.ResponseWriter, req *http.Request) {
 		}
 
 		// disable G304 (CWE-22): Potential file inclusion via variable
-		// as we want a file inclusion here
 		// #nosec G304
 		file, err := os.Open(filepath)
 		if err != nil {