Fix lint and security issues

gosec was failing after the last update introduced some new checks.
valyala · Sep 7, 2024 · 52bd784 · 52bd784
1 parent 7699fc9
commit 52bd784
Show file tree

Hide file tree

Showing 12 changed files with 23 additions and 23 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -42,6 +42,7 @@ linters:
     - varnamelen
     - wrapcheck
     - wsl
+    - mnd
 
     # Deprecated linters
     - deadcode

diff --git a/client.go b/client.go
@@ -607,7 +607,6 @@ func (c *Client) mCleaner(m map[string]*HostClient) {
 		c.mLock.Lock()
 		for k, v := range m {
 			v.connsLock.Lock()
-			/* #nosec G601 */
 			if v.connsCount == 0 && atomic.LoadInt32(&v.pendingClientRequests) == 0 {
 				delete(m, k)
 			}
@@ -1430,7 +1429,7 @@ func (c *HostClient) doNonNilReqResp(req *Request, resp *Response) (bool, error)
 		return false, ErrHostClientRedirectToDifferentScheme
 	}
 
-	atomic.StoreUint32(&c.lastUseTime, uint32(time.Now().Unix()-startTimeUnix))
+	atomic.StoreUint32(&c.lastUseTime, uint32(time.Now().Unix()-startTimeUnix)) // #nosec G115
 
 	// Free up resources occupied by response before sending the request,
 	// so the GC may reclaim these resources (e.g. response body).
@@ -1917,7 +1916,7 @@ func (c *HostClient) nextAddr() string {
 	}
 	addr := c.addrs[0]
 	if len(c.addrs) > 1 {
-		addr = c.addrs[c.addrIdx%uint32(len(c.addrs))]
+		addr = c.addrs[c.addrIdx%uint32(len(c.addrs))] // #nosec G115
 		c.addrIdx++
 	}
 	c.addrsLock.Unlock()

diff --git a/examples/letsencrypt/letsencryptserver.go b/examples/letsencrypt/letsencryptserver.go
@@ -28,7 +28,7 @@ func main() {
 	}
 
 	// Let's Encrypt tls-alpn-01 only works on port 443.
-	ln, err := net.Listen("tcp4", "0.0.0.0:443") /* #nosec G102 */
+	ln, err := net.Listen("tcp4", "0.0.0.0:443") // #nosec G102
 	if err != nil {
 		panic(err)
 	}

diff --git a/fs.go b/fs.go
@@ -1406,7 +1406,7 @@ func (h *fsHandler) compressAndOpenFSFile(filePath, fileEncoding string) (*fsFil
 	}
 
 	if compressedFilePath != filePath {
-		if err := os.MkdirAll(filepath.Dir(compressedFilePath), os.ModePerm); err != nil {
+		if err := os.MkdirAll(filepath.Dir(compressedFilePath), 0o750); err != nil {
 			return nil, err
 		}
 	}

diff --git a/fuzz_test.go b/fuzz_test.go
@@ -42,38 +42,38 @@ func FuzzVisitHeaderParams(f *testing.F) {
 func FuzzResponseReadLimitBody(f *testing.F) {
 	f.Add([]byte("HTTP/1.1 200 OK\r\nContent-Type: aa\r\nContent-Length: 10\r\n\r\n9876543210"), 1024)
 
-	f.Fuzz(func(t *testing.T, body []byte, max int) {
-		if len(body) > 1024*1024 || max > 1024*1024 {
+	f.Fuzz(func(t *testing.T, body []byte, maxBodySize int) {
+		if len(body) > 1024*1024 || maxBodySize > 1024*1024 {
 			return
 		}
 		// Only test with a max for the body, otherwise a very large Content-Length will just OOM.
-		if max <= 0 {
+		if maxBodySize <= 0 {
 			return
 		}
 
 		res := AcquireResponse()
 		defer ReleaseResponse(res)
 
-		_ = res.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), max)
+		_ = res.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
 	})
 }
 
 func FuzzRequestReadLimitBody(f *testing.F) {
 	f.Add([]byte("POST /a HTTP/1.1\r\nHost: a.com\r\nTransfer-Encoding: chunked\r\nContent-Type: aa\r\n\r\n6\r\nfoobar\r\n3\r\nbaz\r\n0\r\nfoobar\r\n\r\n"), 1024)
 
-	f.Fuzz(func(t *testing.T, body []byte, max int) {
-		if len(body) > 1024*1024 || max > 1024*1024 {
+	f.Fuzz(func(t *testing.T, body []byte, maxBodySize int) {
+		if len(body) > 1024*1024 || maxBodySize > 1024*1024 {
 			return
 		}
 		// Only test with a max for the body, otherwise a very large Content-Length will just OOM.
-		if max <= 0 {
+		if maxBodySize <= 0 {
 			return
 		}
 
 		req := AcquireRequest()
 		defer ReleaseRequest(req)
 
-		_ = req.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), max)
+		_ = req.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
 	})
 }
 

diff --git a/headers.go b/headers.go
@@ -136,7 +136,7 @@ const (
 
 	// WebSockets.
 	HeaderSecWebSocketAccept     = "Sec-WebSocket-Accept"
-	HeaderSecWebSocketExtensions = "Sec-WebSocket-Extensions" /* #nosec G101 */
+	HeaderSecWebSocketExtensions = "Sec-WebSocket-Extensions" // #nosec G101
 	HeaderSecWebSocketKey        = "Sec-WebSocket-Key"
 	HeaderSecWebSocketProtocol   = "Sec-WebSocket-Protocol"
 	HeaderSecWebSocketVersion    = "Sec-WebSocket-Version"

diff --git a/lbclient.go b/lbclient.go
@@ -139,7 +139,7 @@ func (cc *LBClient) get() *lbClient {
 	minT := atomic.LoadUint64(&minC.total)
 	for _, c := range cs[1:] {
 		n := c.PendingRequests()
-		t := atomic.LoadUint64(&c.total) /* #nosec G601 */
+		t := atomic.LoadUint64(&c.total)
 		if n < minN || (n == minN && t < minT) {
 			minC = c
 			minN = n

diff --git a/prefork/prefork.go b/prefork/prefork.go
@@ -135,7 +135,7 @@ func (p *Prefork) setTCPListenerFiles(addr string) error {
 }
 
 func (p *Prefork) doCommand() (*exec.Cmd, error) {
-	/* #nosec G204 */
+	// #nosec G204
 	cmd := exec.Command(os.Args[0], os.Args[1:]...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr

diff --git a/round2_64.go b/round2_64.go
@@ -12,12 +12,12 @@ func roundUpForSliceCap(n int) int {
 		return n
 	}
 
-	x := uint64(n - 1)
+	x := uint64(n - 1) // #nosec G115
 	x |= x >> 1
 	x |= x >> 2
 	x |= x >> 4
 	x |= x >> 8
 	x |= x >> 16
 
-	return int(x + 1)
+	return int(x + 1) // #nosec G115
 }
diff --git a/server.go b/server.go
@@ -2034,8 +2034,8 @@ func (s *Server) ServeConn(c net.Conn) error {
 		c = pic
 	}
 
-	n := atomic.AddUint32(&s.concurrency, 1)
-	if n > uint32(s.getConcurrency()) {
+	n := int(atomic.AddUint32(&s.concurrency, 1)) // #nosec G115
+	if n > s.getConcurrency() {
 		atomic.AddUint32(&s.concurrency, ^uint32(0))
 		s.writeFastError(c, StatusServiceUnavailable, "The connection cannot be served because Server.Concurrency limit exceeded")
 		c.Close()
@@ -2415,7 +2415,7 @@ func (s *Server) serveConn(c net.Conn) (err error) {
 		}
 
 		connectionClose = connectionClose ||
-			(s.MaxRequestsPerConn > 0 && connRequestNum >= uint64(s.MaxRequestsPerConn)) ||
+			(s.MaxRequestsPerConn > 0 && connRequestNum >= uint64(s.MaxRequestsPerConn)) || // #nosec G115
 			ctx.Response.Header.ConnectionClose() ||
 			(s.CloseOnShutdown && atomic.LoadInt32(&s.stop) == 1)
 		if connectionClose {

diff --git a/tcpdialer.go b/tcpdialer.go
@@ -298,7 +298,7 @@ func (d *TCPDialer) dial(addr string, dualStack bool, timeout time.Duration) (ne
 		return nil, err
 	}
 	var conn net.Conn
-	n := uint32(len(addrs))
+	n := uint32(len(addrs)) // #nosec G115
 	for n > 0 {
 		conn, err = d.tryDial(network, addrs[idx%n].String(), deadline, d.concurrencyCh)
 		if err == nil {

diff --git a/workerpool.go b/workerpool.go
@@ -176,7 +176,7 @@ func (wp *workerPool) getCh() *workerChan {
 		}
 
 		currentWorkers := atomic.LoadInt32(&wp.workersCount)
-		if currentWorkers < int32(wp.MaxWorkersCount) {
+		if int(currentWorkers) < wp.MaxWorkersCount {
 			if atomic.CompareAndSwapInt32(&wp.workersCount, currentWorkers, currentWorkers+1) {
 				ch = wp.workerChanPool.Get().(*workerChan)
 				go wp.workerFunc(ch)