From b6e78efc1e77d7cfe6fedb9cce882bf7d78c969f Mon Sep 17 00:00:00 2001
From: Nick Meves <nick.meves@greenhouse.io>
Date: Mon, 10 Aug 2020 15:11:38 -0700
Subject: [PATCH] Add `x-oauth-basic` nosec annotation & address gosec
 unhandled errors

---
 CHANGELOG.md                  |  1 +
 pkg/logger/logger.go          | 12 ++++++++----
 pkg/middleware/jwt_session.go |  1 +
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index da1b7731..ac2946bc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@
 
 ## Changes since v6.0.0
 
+- [#719](https://github.com/oauth2-proxy/oauth2-proxy/pull/719) Add Gosec fixes to areas that are intermittently flagged on PRs (@NickMeves)
 - [#718](https://github.com/oauth2-proxy/oauth2-proxy/pull/718) Allow Logging to stdout with separate Error Log Channel
 - [#690](https://github.com/oauth2-proxy/oauth2-proxy/pull/690) Address GoSec security findings & remediate (@NickMeves)
 - [#689](https://github.com/oauth2-proxy/oauth2-proxy/pull/689) Fix finicky logging_handler_test from time drift (@NickMeves)
diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go
index 6bc0ae82..d5aab57c 100644
--- a/pkg/logger/logger.go
+++ b/pkg/logger/logger.go
@@ -144,11 +144,10 @@ func (l *Logger) formatLogMessage(calldepth int, message string) []byte {
 		panic(err)
 	}
 
-	_, err = l.writer.Write([]byte("\n"))
+	_, err = logBuff.Write([]byte("\n"))
 	if err != nil {
 		panic(err)
 	}
-	logBuff.Write([]byte("\n"))
 
 	return logBuff.Bytes()
 }
@@ -162,11 +161,16 @@ func (l *Logger) Output(lvl Level, calldepth int, message string) {
 		return
 	}
 	msg := l.formatLogMessage(calldepth, message)
+
+	var err error
 	switch lvl {
 	case ERROR:
-		l.errWriter.Write(msg)
+		_, err = l.errWriter.Write(msg)
 	default:
-		l.writer.Write(msg)
+		_, err = l.writer.Write(msg)
+	}
+	if err != nil {
+		panic(err)
 	}
 }
 
diff --git a/pkg/middleware/jwt_session.go b/pkg/middleware/jwt_session.go
index f3dc85ab..3f17296d 100644
--- a/pkg/middleware/jwt_session.go
+++ b/pkg/middleware/jwt_session.go
@@ -121,6 +121,7 @@ func (j *jwtSessionLoader) getBasicToken(token string) (string, error) {
 	// check user, user+password, or just password for a token
 	if j.jwtRegex.MatchString(user) {
 		// Support blank passwords or magic `x-oauth-basic` passwords - nothing else
+		/* #nosec G101 */
 		if password == "" || password == "x-oauth-basic" {
 			return user, nil
 		}