Document GoSec nosec skip comments

2024-11-24 08:52:25 +02:00 · 2020-07-20 18:49:45 -07:00 · 2020-07-20 18:49:45 -07:00 · ad52587ae6
commit ad52587ae6
parent 2bb0160bf3
8 changed files with 20 additions and 31 deletions
--- a/http.go
+++ b/http.go
@ -119,18 +119,18 @@ type tcpKeepAliveListener struct {
 	*net.TCPListener
 }

-func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
+func (ln tcpKeepAliveListener) Accept() (net.Conn, error) {
 	tc, err := ln.AcceptTCP()
 	if err != nil {
-		return
+		return nil, err
 	}
 	err = tc.SetKeepAlive(true)
 	if err != nil {
-		return nil, err
+		logger.Printf("Error setting Keep-Alive: %v", err)
 	}
 	err = tc.SetKeepAlivePeriod(3 * time.Minute)
 	if err != nil {
-		return nil, err
+		logger.Printf("Error setting Keep-Alive period: %v", err)
 	}
 	return tc, nil
 }
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -413,6 +413,8 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
 		redirectURL = "/"
 	}

+	// We allow unescaped template.HTML since it is user configured options
+	/* #nosec G203 */
 	t := struct {
 		ProviderName  string
 		SignInMessage template.HTML
--- a/pkg/authentication/basic/htpasswd.go
+++ b/pkg/authentication/basic/htpasswd.go
@ -1,6 +1,7 @@
 package basic

 import (
+	// We support SHA1 & bcrypt in HTPasswd
 	"crypto/sha1" // #nosec G505
 	"encoding/base64"
 	"encoding/csv"
@ -29,6 +30,7 @@ type sha1Pass string
 // NewHTPasswdValidator constructs an httpasswd based validator from the file
 // at the path given.
 func NewHTPasswdValidator(path string) (Validator, error) {
+	// We allow HTPasswd location via config options
 	r, err := os.Open(path) // #nosec G304
 	if err != nil {
 		return nil, fmt.Errorf("could not open htpasswd file: %v", err)
@ -90,6 +92,7 @@ func (h *htpasswdMap) Validate(user string, password string) bool {

 	switch rp := realPassword.(type) {
 	case sha1Pass:
+		// We support SHA1 HTPasswd entries
 		d := sha1.New() // #nosec G401
 		_, err := d.Write([]byte(password))
 		if err != nil {
--- a/pkg/upstream/http.go
+++ b/pkg/upstream/http.go
@ -103,6 +103,7 @@ func newReverseProxy(target *url.URL, upstream options.Upstream, errorHandler Pr
 		proxy.FlushInterval = 1 * time.Second
 	}

+	// InsecureSkipVerify is a configurable option we allow
 	/* #nosec G402 */
 	if upstream.InsecureSkipTLSVerify {
 		proxy.Transport = &http.Transport{
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@ -12,6 +12,7 @@ func GetCertPool(paths []string) (*x509.CertPool, error) {
 	}
 	pool := x509.NewCertPool()
 	for _, path := range paths {
+		// Cert paths are a configurable option
 		data, err := ioutil.ReadFile(path) // #nosec G304
 		if err != nil {
 			return nil, fmt.Errorf("certificate authority file (%s) could not be read - %s", path, err)
--- a/pkg/validation/options.go
+++ b/pkg/validation/options.go
@ -30,6 +30,7 @@ func Validate(o *options.Options) error {
 	msgs = append(msgs, validateSessionCookieMinimal(o)...)

 	if o.SSLInsecureSkipVerify {
+		// InsecureSkipVerify is a configurable option we allow
 		/* #nosec G402 */
 		insecureTransport := &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
--- a/providers/logingov.go
+++ b/providers/logingov.go
@ -4,12 +4,9 @@ import (
 	"bytes"
 	"context"
 	"crypto/rsa"
-	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"math/rand"
-	"net/http"
 	"net/url"
 	"time"

@ -106,30 +103,12 @@ type loginGovCustomClaims struct {
 // checkNonce checks the nonce in the id_token
 func checkNonce(idToken string, p *LoginGovProvider) (err error) {
 	token, err := jwt.ParseWithClaims(idToken, &loginGovCustomClaims{}, func(token *jwt.Token) (interface{}, error) {
-		resp, myerr := http.Get(p.PubJWKURL.String())
-		if myerr != nil {
-			return nil, myerr
-		}
-		if resp.StatusCode != 200 {
-			myerr = fmt.Errorf("got %d from %q", resp.StatusCode, p.PubJWKURL.String())
-			return nil, myerr
-		}
-		body, myerr := ioutil.ReadAll(resp.Body)
-		if myerr != nil {
-			return nil, myerr
-		}
-		if myerr = resp.Body.Close(); myerr != nil {
-			return nil, myerr
-		}
-
 		var pubkeys jose.JSONWebKeySet
-		myerr = json.Unmarshal(body, &pubkeys)
-		if myerr != nil {
-			return nil, myerr
+		rerr := requests.New(p.PubJWKURL.String()).Do().UnmarshalInto(&pubkeys)
+		if rerr != nil {
+			return nil, rerr
 		}
-		pubkey := pubkeys.Keys[0]
-
-		return pubkey.Key, nil
+		return pubkeys.Keys[0].Key, nil
 	})
 	if err != nil {
 		return
--- a/validator.go
+++ b/validator.go
@ -19,10 +19,12 @@ type UserMap struct {
 }

 // NewUserMap parses the authenticated emails file into a new UserMap
+//
+// TODO (@NickMeves): Audit usage of `unsafe.Pointer` and potentially refactor
 func NewUserMap(usersFile string, done <-chan bool, onUpdate func()) *UserMap {
 	um := &UserMap{usersFile: usersFile}
 	m := make(map[string]bool)
-	atomic.StorePointer(&um.m, unsafe.Pointer(&m))
+	atomic.StorePointer(&um.m, unsafe.Pointer(&m)) // #nosec G103
 	if usersFile != "" {
 		logger.Printf("using authenticated emails file %s", usersFile)
 		WatchForUpdates(usersFile, done, func() {
@ -68,7 +70,7 @@ func (um *UserMap) LoadAuthenticatedEmailsFile() {
 		address := strings.ToLower(strings.TrimSpace(r[0]))
 		updated[address] = true
 	}
-	atomic.StorePointer(&um.m, unsafe.Pointer(&updated))
+	atomic.StorePointer(&um.m, unsafe.Pointer(&updated)) // #nosec G103
 }

 func newValidatorImpl(domains []string, usersFile string,