From f5d3ab450538a02d26436f7c7ce508324b88db87 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 15 Jun 2022 13:19:30 -0400 Subject: [PATCH 1/2] fix the gosec test and a make target for it --- Makefile | 4 ++++ cmd/nginx/main.go | 6 ++++-- internal/ingress/controller/nginx.go | 8 +++++--- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index 71dd8dd06..14b7d8c24 100644 --- a/Makefile +++ b/Makefile @@ -75,6 +75,10 @@ image: clean-image ## Build image for a particular arch. --build-arg BUILD_ID="$(BUILD_ID)" \ -t $(REGISTRY)/controller:$(TAG) rootfs +.PHONY: gosec +gosec: + docker run --mount type=bind,source="$(pwd)"/,target=/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ /source/... + .PHONY: image-chroot image-chroot: clean-chroot-image ## Build image for a particular arch. echo "Building docker image ($(ARCH))..." diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go index d5d6d91e7..ff5f0c365 100644 --- a/cmd/nginx/main.go +++ b/cmd/nginx/main.go @@ -327,8 +327,10 @@ func registerProfiler() { mux.HandleFunc("/debug/pprof/trace", pprof.Trace) server := &http.Server{ - Addr: fmt.Sprintf("127.0.0.1:%v", nginx.ProfilerPort), - Handler: mux, + Addr: fmt.Sprintf("127.0.0.1:%v", nginx.ProfilerPort), + //G112 (CWE-400): Potential Slowloris Attack + ReadHeaderTimeout: 10 * time.Second, + Handler: mux, } klog.Fatal(server.ListenAndServe()) } diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index 7ff772a96..9c8e5265c 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -110,9 +110,11 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro if n.cfg.ValidationWebhook != "" { n.validationWebhookServer = &http.Server{ - Addr: config.ValidationWebhook, - Handler: adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}), - TLSConfig: ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(), + Addr: config.ValidationWebhook, + //G112 (CWE-400): Potential Slowloris Attack + ReadHeaderTimeout: 10 * time.Second, + Handler: adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}), + TLSConfig: ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(), // disable http/2 // https://github.com/kubernetes/kubernetes/issues/80313 // https://github.com/kubernetes/ingress-nginx/issues/6323#issuecomment-737239159 From 72705c21aa72c97db5483112b6dd7d93403af992 Mon Sep 17 00:00:00 2001 From: James Strong Date: Wed, 15 Jun 2022 14:15:27 -0400 Subject: [PATCH 2/2] need the workspace --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 14b7d8c24..99730b4c0 100644 --- a/Makefile +++ b/Makefile @@ -77,7 +77,7 @@ image: clean-image ## Build image for a particular arch. .PHONY: gosec gosec: - docker run --mount type=bind,source="$(pwd)"/,target=/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ /source/... + docker run --rm -it -w /source/ -v "$(pwd)"/:/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/ -exclude-dir=docs/ /source/... .PHONY: image-chroot image-chroot: clean-chroot-image ## Build image for a particular arch.