Add scans with gosec

2025-05-02 19:56:15 +02:00 · 2022-02-13 15:06:54 +01:00 · 2022-02-13 15:06:54 +01:00 · 5cd3627dc6
commit 5cd3627dc6
parent 56f39cf64c
8 changed files with 47 additions and 12 deletions
--- a/2
+++ b/2
@ -13,10 +13,12 @@ test:
 	gocyclo -over 10 $(shell find . -iname '*.go' -type f)
 	staticcheck ./...
 	go test -v -cover ./...
+	gosec -exclude-dir=tests ./...

 .PHONY: setup
 setup:
 	go install github.com/fzipp/gocyclo/cmd/gocyclo@latest
+	go install github.com/securego/gosec/v2/cmd/gosec@latest
 	go install github.com/swaggo/swag/cmd/swag@latest
 	go install honnef.co/go/tools/cmd/staticcheck@latest

--- a/cmd/pushbits/main.go
+++ b/cmd/pushbits/main.go
@ -77,5 +77,8 @@ func main() {

 	engine := router.Create(c.Debug, cm, db, dp)

-	runner.Run(engine, c.HTTP.ListenAddress, c.HTTP.Port)
+	err = runner.Run(engine, c.HTTP.ListenAddress, c.HTTP.Port)
+	if err != nil {
+		log.Fatal(err)
+	}
 }
--- a/internal/api/application.go
+++ b/internal/api/application.go
@ -35,7 +35,11 @@ func (h *ApplicationHandler) registerApplication(ctx *gin.Context, a *model.Appl
 	}

 	a.MatrixID = channelID
-	h.DB.UpdateApplication(a)
+
+	err = h.DB.UpdateApplication(a)
+	if success := successOrAbort(ctx, http.StatusInternalServerError, err); !success {
+		return err
+	}

 	return nil
 }
@ -55,7 +59,6 @@ func (h *ApplicationHandler) createApplication(ctx *gin.Context, u *model.User,

 	if err := h.registerApplication(ctx, &application, u); err != nil {
 		err := h.DB.DeleteApplication(&application)
-
 		if success := successOrAbort(ctx, http.StatusInternalServerError, err); !success {
 			log.Printf("Cannot delete application with ID %d.", application.ID)
 		}
--- a/internal/api/user.go
+++ b/internal/api/user.go
@ -44,6 +44,8 @@ func (h *UserHandler) deleteApplications(ctx *gin.Context, u *model.User) error
 	}

 	for _, application := range applications {
+		application := application // See https://stackoverflow.com/a/68247837
+
 		if err := h.AH.deleteApplication(ctx, &application, u); err != nil {
 			return err
 		}
@ -59,6 +61,8 @@ func (h *UserHandler) updateChannels(ctx *gin.Context, u *model.User, matrixID s
 	}

 	for _, application := range applications {
+		application := application // See https://stackoverflow.com/a/68247837
+
 		err := h.DP.DeregisterApplication(&application, u)
 		if success := successOrAbort(ctx, http.StatusInternalServerError, err); !success {
 			return err
@ -68,6 +72,8 @@ func (h *UserHandler) updateChannels(ctx *gin.Context, u *model.User, matrixID s
 	u.MatrixID = matrixID

 	for _, application := range applications {
+		application := application // See https://stackoverflow.com/a/68247837
+
 		err := h.AH.registerApplication(ctx, &application, u)
 		if err != nil {
 			return err
--- a/internal/authentication/credentials/hibp.go
+++ b/internal/authentication/credentials/hibp.go
@ -1,7 +1,7 @@
 package credentials

 import (
-	"crypto/sha1"
+	"crypto/sha1" //#nosec G505 -- False positive, see the use below.
 	"fmt"
 	"io/ioutil"
 	"log"
@ -21,7 +21,7 @@ func IsPasswordPwned(password string) (bool, error) {
 		return true, nil
 	}

-	hash := sha1.Sum([]byte(password))
+	hash := sha1.Sum([]byte(password)) //#nosec G401 -- False positive, only the first 5 bytes are transmitted.
 	hashStr := fmt.Sprintf("%X", hash)
 	lookup := hashStr[0:5]
 	match := hashStr[5:]
--- a/internal/database/database.go
+++ b/internal/database/database.go
@ -24,8 +24,10 @@ type Database struct {
 }

 func createFileDir(file string) {
-	if _, err := os.Stat(filepath.Dir(file)); os.IsNotExist(err) {
-		if err := os.MkdirAll(filepath.Dir(file), 0775); err != nil {
+	dir := filepath.Dir(file)
+
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		if err := os.MkdirAll(dir, 0750); err != nil {
 			panic(err)
 		}
 	}
@ -67,14 +69,20 @@ func Create(cm *credentials.Manager, dialect, connection string) (*Database, err
 		sql.SetConnMaxLifetime(9 * time.Minute)
 	}

-	db.AutoMigrate(&model.User{}, &model.Application{})
+	err = db.AutoMigrate(&model.User{}, &model.Application{})
+	if err != nil {
+		return nil, err
+	}

 	return &Database{gormdb: db, sqldb: sql, credentialsManager: cm}, nil
 }

 // Close closes the database connection.
 func (d *Database) Close() {
-	d.sqldb.Close()
+	err := d.sqldb.Close()
+	if err != nil {
+		log.Printf("Error while closing database: %s", err)
+	}
 }

 // Populate fills the database with initial information like the admin user.
@ -111,12 +119,16 @@ func (d *Database) RepairChannels(dp Dispatcher) error {
 	}

 	for _, user := range users {
+		user := user // See https://stackoverflow.com/a/68247837
+
 		applications, err := d.GetApplications(&user)
 		if err != nil {
 			return err
 		}

 		for _, application := range applications {
+			application := application // See https://stackoverflow.com/a/68247837
+
 			if err := dp.UpdateApplication(&application); err != nil {
 				return err
 			}
--- a/internal/dispatcher/dispatcher.go
+++ b/internal/dispatcher/dispatcher.go
@ -44,7 +44,11 @@ func Create(homeserver, username, password string, formatting configuration.Form
 func (d *Dispatcher) Close() {
 	log.Printf("Logging out.")

-	d.client.Logout()
+	_, err := d.client.Logout()
+	if err != nil {
+		log.Printf("Error while logging out: %s", err)
+	}
+
 	d.client.ClearCredentials()

 	log.Printf("Successfully logged out.")
--- a/internal/runner/runner.go
+++ b/internal/runner/runner.go
@ -7,6 +7,11 @@ import (
 )

 // Run starts the Gin engine.
-func Run(engine *gin.Engine, address string, port int) {
-	engine.Run(fmt.Sprintf("%s:%d", address, port))
+func Run(engine *gin.Engine, address string, port int) error {
+	err := engine.Run(fmt.Sprintf("%s:%d", address, port))
+	if err != nil {
+		return err
+	}
+
+	return nil
 }