Fixes for gosec

.github/workflows/ci.yaml

@@ -48,7 +48,10 @@ jobs:
       - name: Run Gosec Security Scanner
         uses: securego/gosec@master
         with:
-          args: -exclude=G104,G304 -exclude-dir=test ./...
+          # G601 for zz_generated.deepcopy.go
+          # G306 TODO: Expect WriteFile permissions to be 0600 or less
+          # G307 TODO: Deferring unsafe method "Close"
+          args: -exclude=G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ ./...
 
   build:
     name: Build

cmd/nginx/main.go

@@ -19,7 +19,7 @@ package main
 import (
 	"context"
 	"fmt"
-	"math/rand"
+	"math/rand" // #nosec
 	"net/http"
 	"net/http/pprof"
 	"os"

docs/examples/customization/external-auth-headers/authsvc/authsvc.go

@@ -18,17 +18,18 @@ package main
 
 import (
 	"fmt"
-	"math/rand"
 	"net/http"
 	"strconv"
 	"strings"
+
+	"k8s.io/apimachinery/pkg/util/uuid"
 )
 
 // Sample authentication service returning several HTTP headers in response
 func main() {
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		if strings.ContainsAny(r.Header.Get("User"), "internal") {
-			w.Header().Add("UserID", strconv.Itoa(rand.Int()))
+			w.Header().Add("UserID", fmt.Sprintf("%v", uuid.NewUUID()))
 			w.Header().Add("UserRole", "admin")
 			w.Header().Add("Other", "not used")
 			fmt.Fprint(w, "ok")

internal/admission/controller/convert.go

@@ -40,7 +40,7 @@ func convertV1beta1AdmissionReviewToAdmissionAdmissionReview(in *admissionv1beta
 	} else {
 		out.Request = nil
 	}
-	out.Response = (*admissionv1.AdmissionResponse)(unsafe.Pointer(in.Response))
+	out.Response = (*admissionv1.AdmissionResponse)(unsafe.Pointer(in.Response)) // #nosec
 }
 
 func convertV1beta1AdmissionRequestToAdmissionAdmissionRequest(in *admissionv1beta1.AdmissionRequest, out *admissionv1.AdmissionRequest) {
@@ -48,8 +48,8 @@ func convertV1beta1AdmissionRequestToAdmissionAdmissionRequest(in *admissionv1be
 	out.Kind = in.Kind
 	out.Resource = in.Resource
 	out.SubResource = in.SubResource
-	out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))
-	out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource))
+	out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))             // #nosec
+	out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource)) // #nosec
 	out.RequestSubResource = in.RequestSubResource
 	out.Name = in.Name
 	out.Namespace = in.Namespace
@@ -70,7 +70,7 @@ func convertAdmissionAdmissionReviewToV1beta1AdmissionReview(in *admissionv1.Adm
 	} else {
 		out.Request = nil
 	}
-	out.Response = (*admissionv1beta1.AdmissionResponse)(unsafe.Pointer(in.Response))
+	out.Response = (*admissionv1beta1.AdmissionResponse)(unsafe.Pointer(in.Response)) // #nosec
 }
 
 func convertAdmissionAdmissionRequestToV1beta1AdmissionRequest(in *admissionv1.AdmissionRequest, out *admissionv1beta1.AdmissionRequest) {
@@ -78,8 +78,8 @@ func convertAdmissionAdmissionRequestToV1beta1AdmissionRequest(in *admissionv1.A
 	out.Kind = in.Kind
 	out.Resource = in.Resource
 	out.SubResource = in.SubResource
-	out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))
-	out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource))
+	out.RequestKind = (*metav1.GroupVersionKind)(unsafe.Pointer(in.RequestKind))             // #nosec
+	out.RequestResource = (*metav1.GroupVersionResource)(unsafe.Pointer(in.RequestResource)) // #nosec
 	out.RequestSubResource = in.RequestSubResource
 	out.Name = in.Name
 	out.Namespace = in.Namespace

internal/file/file.go

@@ -17,7 +17,7 @@ limitations under the License.
 package file
 
 import (
-	"crypto/sha1"
+	"crypto/sha1" // #nosec
 	"encoding/hex"
 	"io/ioutil"
 
@@ -26,7 +26,7 @@ import (
 
 // SHA1 returns the SHA1 of a file.
 func SHA1(filename string) string {
-	hasher := sha1.New()
+	hasher := sha1.New() // #nosec
 	s, err := ioutil.ReadFile(filename)
 	if err != nil {
 		klog.ErrorS(err, "Error reading file", "path", filename)

internal/ingress/controller/controller.go

@@ -304,7 +304,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr
 	reserverdPorts := sets.NewInt(rp...)
 	// svcRef format: <(str)namespace>/<(str)service>:<(intstr)port>[:<("PROXY")decode>:<("PROXY")encode>]
 	for port, svcRef := range configmap.Data {
-		externalPort, err := strconv.Atoi(port)
+		externalPort, err := strconv.Atoi(port) // #nosec
 		if err != nil {
 			klog.Warningf("%q is not a valid %v port number", port, proto)
 			continue
@@ -342,11 +342,13 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr
 			continue
 		}
 		var endps []ingress.Endpoint
-		targetPort, err := strconv.Atoi(svcPort)
+		/* #nosec */
+		targetPort, err := strconv.Atoi(svcPort) // #nosec
 		if err != nil {
 			// not a port number, fall back to using port name
 			klog.V(3).Infof("Searching Endpoints with %v port name %q for Service %q", proto, svcPort, nsName)
-			for _, sp := range svc.Spec.Ports {
+			for i := range svc.Spec.Ports {
+				sp := svc.Spec.Ports[i]
 				if sp.Name == svcPort {
 					if sp.Protocol == proto {
 						endps = getEndpoints(svc, &sp, proto, n.store.GetServiceEndpoints)
@@ -356,7 +358,8 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr
 			}
 		} else {
 			klog.V(3).Infof("Searching Endpoints with %v port number %d for Service %q", proto, targetPort, nsName)
-			for _, sp := range svc.Spec.Ports {
+			for i := range svc.Spec.Ports {
+				sp := svc.Spec.Ports[i]
 				if sp.Port == int32(targetPort) {
 					if sp.Protocol == proto {
 						endps = getEndpoints(svc, &sp, proto, n.store.GetServiceEndpoints)
@@ -939,7 +942,8 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres
 		return upstreams, nil
 	}
 
-	for _, servicePort := range svc.Spec.Ports {
+	for i := range svc.Spec.Ports {
+		servicePort := svc.Spec.Ports[i]
 		// targetPort could be a string, use either the port name or number (int)
 		if strconv.Itoa(int(servicePort.Port)) == backendPort ||
 			servicePort.TargetPort.String() == backendPort ||
@@ -1498,7 +1502,7 @@ func shouldCreateUpstreamForLocationDefaultBackend(upstream *ingress.Backend, lo
 }
 
 func externalNamePorts(name string, svc *apiv1.Service) *apiv1.ServicePort {
-	port, err := strconv.Atoi(name)
+	port, err := strconv.Atoi(name) // #nosec
 	if err != nil {
 		// not a number. check port names.
 		for _, svcPort := range svc.Spec.Ports {

internal/ingress/controller/nginx.go

@@ -434,7 +434,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC
 				klog.Warningf("Missing Service for SSL Passthrough backend %q", pb.Backend)
 				continue
 			}
-			port, err := strconv.Atoi(pb.Port.String())
+			port, err := strconv.Atoi(pb.Port.String()) // #nosec
 			if err != nil {
 				for _, sp := range svc.Spec.Ports {
 					if sp.Name == pb.Port.String() {

internal/ingress/controller/template/template.go

@@ -18,13 +18,13 @@ package template
 
 import (
 	"bytes"
-	"crypto/sha1"
+	"crypto/sha1" // #nosec
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
-	"math/rand"
+	"math/rand" // #nosec
 	"net"
 	"net/url"
 	"os"
@@ -929,7 +929,7 @@ func buildAuthSignURL(authSignURL, authRedirectParam string) string {
 }
 
 func buildAuthSignURLLocation(location, authSignURL string) string {
-	hasher := sha1.New()
+	hasher := sha1.New() // #nosec
 	hasher.Write([]byte(location))
 	hasher.Write([]byte(authSignURL))
 	return "@" + hex.EncodeToString(hasher.Sum(nil))
@@ -944,7 +944,7 @@ func init() {
 func randomString() string {
 	b := make([]rune, 32)
 	for i := range b {
-		b[i] = letters[rand.Intn(len(letters))]
+		b[i] = letters[rand.Intn(len(letters))] // #nosec
 	}
 
 	return string(b)

internal/ingress/metric/collectors/socket.go

@@ -110,7 +110,7 @@ func NewSocketCollector(pod, namespace, class string, metricsPerHost bool) (*Soc
 		return nil, err
 	}
 
-	err = os.Chmod(socket, 0777)
+	err = os.Chmod(socket, 0777) // #nosec
 	if err != nil {
 		return nil, err
 	}

internal/ingress/status/status.go

@@ -181,7 +181,8 @@ func (s *statusSync) runningAddresses() ([]string, error) {
 	}
 
 	addrs := make([]string, 0)
-	for _, pod := range pods.Items {
+	for i := range pods.Items {
+		pod := pods.Items[i]
 		// only Running pods are valid
 		if pod.Status.Phase != apiv1.PodRunning {
 			continue

internal/net/ssl/ssl.go

@@ -20,7 +20,7 @@ import (
 	"bytes"
 	"crypto/rand"
 	"crypto/rsa"
-	"crypto/sha1"
+	"crypto/sha1" // #nosec
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
@@ -125,7 +125,7 @@ func CreateSSLCert(cert, key []byte, uid string) (*ingress.SSLCert, error) {
 		}
 	}
 
-	hasher := sha1.New()
+	hasher := sha1.New() // #nosec
 	hasher.Write(pemCert.Raw)
 
 	return &ingress.SSLCert{
@@ -504,9 +504,12 @@ func NewTLSListener(certificate, key string) *TLSListener {
 		keyPath:         key,
 		lock:            sync.Mutex{},
 	}
+
 	l.load()
-	watch.NewFileWatcher(certificate, l.load)
-	watch.NewFileWatcher(key, l.load)
+
+	_, _ = watch.NewFileWatcher(certificate, l.load)
+	_, _ = watch.NewFileWatcher(key, l.load)
+
 	return &l
 }
 
@@ -521,6 +524,7 @@ func (tl *TLSListener) GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, e
 func (tl *TLSListener) TLSConfig() *tls.Config {
 	return &tls.Config{
 		GetCertificate: tl.GetCertificate,
+		MinVersion:     tls.VersionTLS12,
 	}
 }
 

internal/nginx/maxmind.go

@@ -118,7 +118,7 @@ func downloadDatabase(dbName string) error {
 
 			defer outFile.Close()
 
-			if _, err := io.Copy(outFile, tarReader); err != nil {
+			if _, err := io.CopyN(outFile, tarReader, header.Size); err != nil {
 				return err
 			}