Skip to content

Commit

Permalink
Fix lint and security issues
Browse files Browse the repository at this point in the history
gosec was failing after the last update introduced some new checks.
  • Loading branch information
erikdubbelboer committed Sep 7, 2024
1 parent 7699fc9 commit c305051
Show file tree
Hide file tree
Showing 11 changed files with 22 additions and 23 deletions.
5 changes: 2 additions & 3 deletions client.go
Original file line number Diff line number Diff line change
Expand Up @@ -607,7 +607,6 @@ func (c *Client) mCleaner(m map[string]*HostClient) {
c.mLock.Lock()
for k, v := range m {
v.connsLock.Lock()
/* #nosec G601 */
if v.connsCount == 0 && atomic.LoadInt32(&v.pendingClientRequests) == 0 {
delete(m, k)
}
Expand Down Expand Up @@ -1430,7 +1429,7 @@ func (c *HostClient) doNonNilReqResp(req *Request, resp *Response) (bool, error)
return false, ErrHostClientRedirectToDifferentScheme
}

atomic.StoreUint32(&c.lastUseTime, uint32(time.Now().Unix()-startTimeUnix))
atomic.StoreUint32(&c.lastUseTime, uint32(time.Now().Unix()-startTimeUnix)) // #nosec G115

// Free up resources occupied by response before sending the request,
// so the GC may reclaim these resources (e.g. response body).
Expand Down Expand Up @@ -1917,7 +1916,7 @@ func (c *HostClient) nextAddr() string {
}
addr := c.addrs[0]
if len(c.addrs) > 1 {
addr = c.addrs[c.addrIdx%uint32(len(c.addrs))]
addr = c.addrs[c.addrIdx%uint32(len(c.addrs))] // #nosec G115
c.addrIdx++
}
c.addrsLock.Unlock()
Expand Down
2 changes: 1 addition & 1 deletion examples/letsencrypt/letsencryptserver.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ func main() {
}

// Let's Encrypt tls-alpn-01 only works on port 443.
ln, err := net.Listen("tcp4", "0.0.0.0:443") /* #nosec G102 */
ln, err := net.Listen("tcp4", "0.0.0.0:443") // #nosec G102
if err != nil {
panic(err)
}
Expand Down
2 changes: 1 addition & 1 deletion fs.go
Original file line number Diff line number Diff line change
Expand Up @@ -1406,7 +1406,7 @@ func (h *fsHandler) compressAndOpenFSFile(filePath, fileEncoding string) (*fsFil
}

if compressedFilePath != filePath {
if err := os.MkdirAll(filepath.Dir(compressedFilePath), os.ModePerm); err != nil {
if err := os.MkdirAll(filepath.Dir(compressedFilePath), 0o750); err != nil {
return nil, err
}
}
Expand Down
16 changes: 8 additions & 8 deletions fuzz_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -42,38 +42,38 @@ func FuzzVisitHeaderParams(f *testing.F) {
func FuzzResponseReadLimitBody(f *testing.F) {
f.Add([]byte("HTTP/1.1 200 OK\r\nContent-Type: aa\r\nContent-Length: 10\r\n\r\n9876543210"), 1024)

f.Fuzz(func(t *testing.T, body []byte, max int) {
if len(body) > 1024*1024 || max > 1024*1024 {
f.Fuzz(func(t *testing.T, body []byte, maxBodySize int) {
if len(body) > 1024*1024 || maxBodySize > 1024*1024 {
return
}
// Only test with a max for the body, otherwise a very large Content-Length will just OOM.
if max <= 0 {
if maxBodySize <= 0 {
return
}

res := AcquireResponse()
defer ReleaseResponse(res)

_ = res.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), max)
_ = res.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
})
}

func FuzzRequestReadLimitBody(f *testing.F) {
f.Add([]byte("POST /a HTTP/1.1\r\nHost: a.com\r\nTransfer-Encoding: chunked\r\nContent-Type: aa\r\n\r\n6\r\nfoobar\r\n3\r\nbaz\r\n0\r\nfoobar\r\n\r\n"), 1024)

f.Fuzz(func(t *testing.T, body []byte, max int) {
if len(body) > 1024*1024 || max > 1024*1024 {
f.Fuzz(func(t *testing.T, body []byte, maxBodySize int) {
if len(body) > 1024*1024 || maxBodySize > 1024*1024 {
return
}
// Only test with a max for the body, otherwise a very large Content-Length will just OOM.
if max <= 0 {
if maxBodySize <= 0 {
return
}

req := AcquireRequest()
defer ReleaseRequest(req)

_ = req.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), max)
_ = req.ReadLimitBody(bufio.NewReader(bytes.NewReader(body)), maxBodySize)
})
}

Expand Down
2 changes: 1 addition & 1 deletion headers.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,7 +136,7 @@ const (

// WebSockets.
HeaderSecWebSocketAccept = "Sec-WebSocket-Accept"
HeaderSecWebSocketExtensions = "Sec-WebSocket-Extensions" /* #nosec G101 */
HeaderSecWebSocketExtensions = "Sec-WebSocket-Extensions" // #nosec G101
HeaderSecWebSocketKey = "Sec-WebSocket-Key"
HeaderSecWebSocketProtocol = "Sec-WebSocket-Protocol"
HeaderSecWebSocketVersion = "Sec-WebSocket-Version"
Expand Down
2 changes: 1 addition & 1 deletion lbclient.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ func (cc *LBClient) get() *lbClient {
minT := atomic.LoadUint64(&minC.total)
for _, c := range cs[1:] {
n := c.PendingRequests()
t := atomic.LoadUint64(&c.total) /* #nosec G601 */
t := atomic.LoadUint64(&c.total)
if n < minN || (n == minN && t < minT) {
minC = c
minN = n
Expand Down
2 changes: 1 addition & 1 deletion prefork/prefork.go
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ func (p *Prefork) setTCPListenerFiles(addr string) error {
}

func (p *Prefork) doCommand() (*exec.Cmd, error) {
/* #nosec G204 */
// #nosec G204
cmd := exec.Command(os.Args[0], os.Args[1:]...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
Expand Down
4 changes: 2 additions & 2 deletions round2_64.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ func roundUpForSliceCap(n int) int {
return n
}

x := uint64(n - 1)
x := uint64(n - 1) // #nosec G115
x |= x >> 1
x |= x >> 2
x |= x >> 4
x |= x >> 8
x |= x >> 16

return int(x + 1)
return int(x + 1) // #nosec G115
}
6 changes: 3 additions & 3 deletions server.go
Original file line number Diff line number Diff line change
Expand Up @@ -2034,8 +2034,8 @@ func (s *Server) ServeConn(c net.Conn) error {
c = pic
}

n := atomic.AddUint32(&s.concurrency, 1)
if n > uint32(s.getConcurrency()) {
n := int(atomic.AddUint32(&s.concurrency, 1)) // #nosec G115
if n > s.getConcurrency() {
atomic.AddUint32(&s.concurrency, ^uint32(0))
s.writeFastError(c, StatusServiceUnavailable, "The connection cannot be served because Server.Concurrency limit exceeded")
c.Close()
Expand Down Expand Up @@ -2415,7 +2415,7 @@ func (s *Server) serveConn(c net.Conn) (err error) {
}

connectionClose = connectionClose ||
(s.MaxRequestsPerConn > 0 && connRequestNum >= uint64(s.MaxRequestsPerConn)) ||
(s.MaxRequestsPerConn > 0 && connRequestNum >= uint64(s.MaxRequestsPerConn)) || // #nosec G115
ctx.Response.Header.ConnectionClose() ||
(s.CloseOnShutdown && atomic.LoadInt32(&s.stop) == 1)
if connectionClose {
Expand Down
2 changes: 1 addition & 1 deletion tcpdialer.go
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ func (d *TCPDialer) dial(addr string, dualStack bool, timeout time.Duration) (ne
return nil, err
}
var conn net.Conn
n := uint32(len(addrs))
n := uint32(len(addrs)) // #nosec G115
for n > 0 {
conn, err = d.tryDial(network, addrs[idx%n].String(), deadline, d.concurrencyCh)
if err == nil {
Expand Down
2 changes: 1 addition & 1 deletion workerpool.go
Original file line number Diff line number Diff line change
Expand Up @@ -176,7 +176,7 @@ func (wp *workerPool) getCh() *workerChan {
}

currentWorkers := atomic.LoadInt32(&wp.workersCount)
if currentWorkers < int32(wp.MaxWorkersCount) {
if int(currentWorkers) < wp.MaxWorkersCount {
if atomic.CompareAndSwapInt32(&wp.workersCount, currentWorkers, currentWorkers+1) {
ch = wp.workerChanPool.Get().(*workerChan)
go wp.workerFunc(ch)
Expand Down

0 comments on commit c305051

Please sign in to comment.