From b0828f2dcd2aa058bf7139745fed9f72c7c43988 Mon Sep 17 00:00:00 2001 From: Jacob Gadikian Date: Tue, 6 Aug 2024 04:44:10 +0700 Subject: [PATCH] chore: enable gosec linter (#4161) * gosec * gosec * secure use of tar files * fix lint issues * fix tests --------- Co-authored-by: Danilo Pantani --- .golangci.yml | 1 + ignite/cmd/account_export.go | 2 +- ignite/cmd/chain.go | 2 +- ignite/internal/analytics/analytics.go | 2 +- .../plugin/testdata/execute_fail/go.mod | 16 ++++++------ .../plugin/testdata/execute_ok/go.mod | 16 ++++++------ ignite/internal/tools/gen-config-doc/go.mod | 8 +++--- ignite/internal/tools/gen-config-doc/go.sum | 4 +++ ignite/internal/tools/gen-mig-diffs/go.mod | 12 ++++----- ignite/internal/tools/gen-mig-diffs/go.sum | 6 +++++ ignite/pkg/availableport/availableport.go | 25 +++++++------------ .../pkg/availableport/availableport_test.go | 2 -- ignite/pkg/chaincmd/runner/chain.go | 2 +- ignite/pkg/checksum/checksum.go | 2 +- ignite/pkg/cmdrunner/cmdrunner.go | 2 +- ignite/pkg/cosmosgen/generate_openapi.go | 2 +- ignite/pkg/cosmosgen/sta.go | 2 +- ignite/pkg/dircache/cache_test.go | 10 ++++---- ignite/pkg/dirchange/dirchange.go | 4 +-- ignite/pkg/dirchange/dirchange_test.go | 4 +-- ignite/pkg/localfs/save.go | 2 +- ignite/pkg/matomo/matomo.go | 6 +++-- ignite/pkg/randstr/randstr.go | 6 +++-- ignite/pkg/swagger-combine/swagger-combine.go | 2 +- ignite/pkg/tarball/tarball.go | 23 ++++++++++++++++- ignite/services/chain/serve.go | 6 +++-- ignite/services/doctor/doctor.go | 4 +-- ignite/services/plugin/plugin.go | 2 +- ignite/templates/typed/singleton/singleton.go | 15 ++++++++--- integration/app.go | 2 +- .../plugin/testdata/example-plugin/go.mod | 16 ++++++------ 31 files changed, 123 insertions(+), 85 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 063b1c8f07..0d15813daa 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -20,6 +20,7 @@ linters: - godot - gofumpt - revive + - gosec - gosimple - govet - grouper diff --git a/ignite/cmd/account_export.go b/ignite/cmd/account_export.go index 0bb62e3791..3ced1b63d4 100644 --- a/ignite/cmd/account_export.go +++ b/ignite/cmd/account_export.go @@ -61,7 +61,7 @@ func accountExportHandler(cmd *cobra.Command, args []string) error { return err } - if err := os.WriteFile(path, []byte(armored), 0o644); err != nil { + if err := os.WriteFile(path, []byte(armored), 0o600); err != nil { return err } diff --git a/ignite/cmd/chain.go b/ignite/cmd/chain.go index c128b1ae43..02dc27992d 100644 --- a/ignite/cmd/chain.go +++ b/ignite/cmd/chain.go @@ -187,7 +187,7 @@ func toolsMigrationPreRunHandler(cmd *cobra.Command, session *cliui.Session, app return err } - return os.WriteFile(toolsFilename, buf.Bytes(), 0o644) + return os.WriteFile(toolsFilename, buf.Bytes(), 0o600) } func bufMigrationPreRunHandler(cmd *cobra.Command, session *cliui.Session, appPath, protoDir string) error { diff --git a/ignite/internal/analytics/analytics.go b/ignite/internal/analytics/analytics.go index 2ea1c5e538..3858aa7117 100644 --- a/ignite/internal/analytics/analytics.go +++ b/ignite/internal/analytics/analytics.go @@ -151,7 +151,7 @@ func checkDNT() (anonIdentity, error) { return i, err } - return i, os.WriteFile(identityPath, data, 0o700) + return i, os.WriteFile(identityPath, data, 0o600) } func getIsCI() bool { diff --git a/ignite/internal/plugin/testdata/execute_fail/go.mod b/ignite/internal/plugin/testdata/execute_fail/go.mod index 93c6b097b1..f0f3c2effe 100644 --- a/ignite/internal/plugin/testdata/execute_fail/go.mod +++ b/ignite/internal/plugin/testdata/execute_fail/go.mod @@ -24,7 +24,7 @@ require ( github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect github.com/cockroachdb/redact v1.1.5 // indirect github.com/cosmos/btcutil v1.0.5 // indirect - github.com/cosmos/cosmos-sdk v0.50.7 // indirect + github.com/cosmos/cosmos-sdk v0.50.8 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/fatih/color v1.16.0 // indirect @@ -81,17 +81,17 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect go.etcd.io/bbolt v1.3.9 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.24.0 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.25.0 // indirect + golang.org/x/net v0.26.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect - golang.org/x/tools v0.21.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect - google.golang.org/grpc v1.64.0 // indirect + google.golang.org/grpc v1.64.1 // indirect google.golang.org/protobuf v1.34.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/ignite/internal/plugin/testdata/execute_ok/go.mod b/ignite/internal/plugin/testdata/execute_ok/go.mod index f012ea498e..297a0b3f15 100644 --- a/ignite/internal/plugin/testdata/execute_ok/go.mod +++ b/ignite/internal/plugin/testdata/execute_ok/go.mod @@ -24,7 +24,7 @@ require ( github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect github.com/cockroachdb/redact v1.1.5 // indirect github.com/cosmos/btcutil v1.0.5 // indirect - github.com/cosmos/cosmos-sdk v0.50.7 // indirect + github.com/cosmos/cosmos-sdk v0.50.8 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/fatih/color v1.16.0 // indirect @@ -81,17 +81,17 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect go.etcd.io/bbolt v1.3.9 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.24.0 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.25.0 // indirect + golang.org/x/net v0.26.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect - golang.org/x/tools v0.21.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect - google.golang.org/grpc v1.64.0 // indirect + google.golang.org/grpc v1.64.1 // indirect google.golang.org/protobuf v1.34.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/ignite/internal/tools/gen-config-doc/go.mod b/ignite/internal/tools/gen-config-doc/go.mod index a0a106bd03..cd7a57dc63 100644 --- a/ignite/internal/tools/gen-config-doc/go.mod +++ b/ignite/internal/tools/gen-config-doc/go.mod @@ -61,10 +61,10 @@ require ( github.com/sourcegraph/annotate v0.0.0-20160123013949-f4cad6c6324d // indirect github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e // indirect github.com/spf13/pflag v1.0.5 // indirect - golang.org/x/net v0.25.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect + golang.org/x/net v0.26.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/ignite/internal/tools/gen-config-doc/go.sum b/ignite/internal/tools/gen-config-doc/go.sum index 5950d5e1fa..837784ad25 100644 --- a/ignite/internal/tools/gen-config-doc/go.sum +++ b/ignite/internal/tools/gen-config-doc/go.sum @@ -195,6 +195,7 @@ golang.org/x/net v0.0.0-20221002022538-bcab6841153b/go.mod h1:YDH+HFinaLZZlnHAfS golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -220,12 +221,14 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= @@ -233,6 +236,7 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= diff --git a/ignite/internal/tools/gen-mig-diffs/go.mod b/ignite/internal/tools/gen-mig-diffs/go.mod index 62587eac19..fb1fb8a31b 100644 --- a/ignite/internal/tools/gen-mig-diffs/go.mod +++ b/ignite/internal/tools/gen-mig-diffs/go.mod @@ -79,14 +79,14 @@ require ( github.com/sourcegraph/syntaxhighlight v0.0.0-20170531221838-bd320f5d308e // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.24.0 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.25.0 // indirect + golang.org/x/net v0.26.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect - golang.org/x/tools v0.21.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) diff --git a/ignite/internal/tools/gen-mig-diffs/go.sum b/ignite/internal/tools/gen-mig-diffs/go.sum index 4e21801d8b..fd44fca688 100644 --- a/ignite/internal/tools/gen-mig-diffs/go.sum +++ b/ignite/internal/tools/gen-mig-diffs/go.sum @@ -226,6 +226,7 @@ golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2Uz golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI= golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8= +golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= @@ -247,6 +248,7 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac= golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= +golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -278,6 +280,7 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y= golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220722155259-a9ba230a4035/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -286,6 +289,7 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw= golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY= +golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -295,6 +299,7 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk= golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= +golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= @@ -303,6 +308,7 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU= golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw= golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= +golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/ignite/pkg/availableport/availableport.go b/ignite/pkg/availableport/availableport.go index d36f828514..bd5b13f3ef 100644 --- a/ignite/pkg/availableport/availableport.go +++ b/ignite/pkg/availableport/availableport.go @@ -1,28 +1,21 @@ package availableport import ( + "crypto/rand" "fmt" - "math/rand" + "math/big" "net" - "time" "github.com/ignite/cli/v29/ignite/pkg/errors" ) type availablePortOptions struct { - randomizer *rand.Rand - minPort uint - maxPort uint + minPort uint + maxPort uint } type Options func(o *availablePortOptions) -func WithRandomizer(r *rand.Rand) Options { - return func(o *availablePortOptions) { - o.randomizer = r - } -} - func WithMaxPort(maxPort uint) Options { return func(o *availablePortOptions) { o.maxPort = maxPort @@ -41,9 +34,8 @@ func WithMinPort(minPort uint) Options { func Find(n uint, options ...Options) (ports []uint, err error) { // Defining them before so we can set a value depending on the AvailablePortOptions opts := availablePortOptions{ - minPort: 44000, - maxPort: 55000, - randomizer: rand.New(rand.NewSource(time.Now().UnixNano())), + minPort: 44000, + maxPort: 55000, } for _, apply := range options { @@ -64,8 +56,9 @@ func Find(n uint, options ...Options) (ports []uint, err error) { for len(registered) < int(n) { // Greater or equal to min and lower than max totalPorts := opts.maxPort - opts.minPort + 1 - randomPort := opts.randomizer.Intn(int(totalPorts)) - port := uint(randomPort) + opts.minPort + + randomPort, _ := rand.Int(rand.Reader, big.NewInt(int64(totalPorts))) + port := uint(randomPort.Uint64()) + opts.minPort conn, err := net.Dial("tcp", fmt.Sprintf(":%d", port)) // if there is an error, this might mean that no one is listening from this port diff --git a/ignite/pkg/availableport/availableport_test.go b/ignite/pkg/availableport/availableport_test.go index ae967e3e39..a641ff4a5c 100644 --- a/ignite/pkg/availableport/availableport_test.go +++ b/ignite/pkg/availableport/availableport_test.go @@ -1,7 +1,6 @@ package availableport_test import ( - "math/rand" "testing" "github.com/stretchr/testify/require" @@ -51,7 +50,6 @@ func TestFind(t *testing.T) { name: "with randomizer", n: 100, options: []availableport.Options{ - availableport.WithRandomizer(rand.New(rand.NewSource(2023))), availableport.WithMinPort(100), availableport.WithMaxPort(200), }, diff --git a/ignite/pkg/chaincmd/runner/chain.go b/ignite/pkg/chaincmd/runner/chain.go index ecd61d7856..7e60719713 100644 --- a/ignite/pkg/chaincmd/runner/chain.go +++ b/ignite/pkg/chaincmd/runner/chain.go @@ -240,7 +240,7 @@ func (r Runner) Export(ctx context.Context, exportedFile string) error { } // Save the new state - return os.WriteFile(exportedFile, exportedState, 0o644) + return os.WriteFile(exportedFile, exportedState, 0o600) } // EventSelector is used to query events. diff --git a/ignite/pkg/checksum/checksum.go b/ignite/pkg/checksum/checksum.go index 56054147c7..b9e7e89b11 100644 --- a/ignite/pkg/checksum/checksum.go +++ b/ignite/pkg/checksum/checksum.go @@ -42,7 +42,7 @@ func Sum(dirPath, outPath string) error { } } - return os.WriteFile(outPath, b.Bytes(), 0o666) + return os.WriteFile(outPath, b.Bytes(), 0o600) } // Binary returns SHA256 hash of executable file, file is searched by name in PATH. diff --git a/ignite/pkg/cmdrunner/cmdrunner.go b/ignite/pkg/cmdrunner/cmdrunner.go index 8883db157f..6e1d608d4e 100644 --- a/ignite/pkg/cmdrunner/cmdrunner.go +++ b/ignite/pkg/cmdrunner/cmdrunner.go @@ -233,7 +233,7 @@ func (r *Runner) newCommand(step *step.Step) Executor { } // Initialize command - command := exec.Command(step.Exec.Command, step.Exec.Args...) + command := exec.Command(step.Exec.Command, step.Exec.Args...) //nolint:gosec command.Stdout = stdout command.Stderr = stderr command.Dir = dir diff --git a/ignite/pkg/cosmosgen/generate_openapi.go b/ignite/pkg/cosmosgen/generate_openapi.go index 7e40704d60..193c74c439 100644 --- a/ignite/pkg/cosmosgen/generate_openapi.go +++ b/ignite/pkg/cosmosgen/generate_openapi.go @@ -65,7 +65,7 @@ func (g *generator) generateOpenAPISpec(ctx context.Context) error { if !errors.Is(err, cache.ErrorNotFound) { specPath := filepath.Join(dir, specFilename) - if err := os.WriteFile(specPath, existingSpec, 0o644); err != nil { + if err := os.WriteFile(specPath, existingSpec, 0o600); err != nil { return err } return conf.AddSpec(name, specPath, true) diff --git a/ignite/pkg/cosmosgen/sta.go b/ignite/pkg/cosmosgen/sta.go index 0d72a6df50..c6c5e7b624 100644 --- a/ignite/pkg/cosmosgen/sta.go +++ b/ignite/pkg/cosmosgen/sta.go @@ -54,5 +54,5 @@ return createCustomOperationId(method, route, moduleName); // generateRouteNameFile generates the `route-name.eta` file. func generateRouteNameFile(outPath string) error { outTemplate := filepath.Join(outPath, "route-name.eta") - return os.WriteFile(outTemplate, []byte(routeNameTemplate), 0o644) + return os.WriteFile(outTemplate, []byte(routeNameTemplate), 0o600) } diff --git a/ignite/pkg/dircache/cache_test.go b/ignite/pkg/dircache/cache_test.go index 8ba7d24953..d91d3e0949 100644 --- a/ignite/pkg/dircache/cache_test.go +++ b/ignite/pkg/dircache/cache_test.go @@ -30,7 +30,7 @@ func Test_cacheKey(t *testing.T) { args: args{ src: wd, }, - want: "78f544d2184b8076ac527ba4728822de1a7fc77bf2d6a77e44d0193cb63ed26e", + want: "4cf0539ac24f8ebc9ee17b81d0ea880e55d2ba98a4e355affe3c3f8a0cdb01ee", }, { name: "one key", @@ -38,7 +38,7 @@ func Test_cacheKey(t *testing.T) { src: wd, keys: []string{"test"}, }, - want: "5701099a1fcc67cd8b694295fbdecf537edcc8733bcc3adae0bdd7e65e28c8e5", + want: "dc7b4e68b7b9d827b3833845202818a11a1105542a3551052c012d815a64e7ae", }, { name: "two keys", @@ -46,7 +46,7 @@ func Test_cacheKey(t *testing.T) { src: wd, keys: []string{"test1", "test2"}, }, - want: "6299c9bd405a1c073fa711006f8aadf6420cf522ef446e36fc01586354726095", + want: "a017b975dd0a30efc7fbc515af9b3c37657c20a509fd5771111d4c0e43d373b0", }, { name: "duplicated keys", @@ -54,7 +54,7 @@ func Test_cacheKey(t *testing.T) { src: wd, keys: []string{"test", "test"}, }, - want: "b9eb1b01931deccc44a354ab5aeb52337a465e5559069eb35b71ea0cbfe3c87f", + want: "26ce20a6c4563963fd646121948cd62137a143317c970a52a3ec8ed9979c868d", }, { name: "many keys", @@ -62,7 +62,7 @@ func Test_cacheKey(t *testing.T) { src: wd, keys: []string{"test1", "test2", "test3", "test4", "test5", "test6", "test6"}, }, - want: "bbe74cfd33ba4d1244e8d0ea3e430081d06ed55be12c7772d345d3117a4dfc90", + want: "f9cd1468363ff902bdd5a93c9c7c43c83c9074796486306a7da046a082314121", }, { name: "invalid source", diff --git a/ignite/pkg/dirchange/dirchange.go b/ignite/pkg/dirchange/dirchange.go index 866866db56..0b42b81904 100644 --- a/ignite/pkg/dirchange/dirchange.go +++ b/ignite/pkg/dirchange/dirchange.go @@ -2,7 +2,7 @@ package dirchange import ( "bytes" - "crypto/md5" + "crypto/sha256" "os" "path/filepath" @@ -60,7 +60,7 @@ func HasDirChecksumChanged(checksumCache cache.Cache[[]byte], cacheKey string, w // ChecksumFromPaths computes the md5 checksum from the provided paths. // Relative paths to the workdir are used. If workdir is empty, string paths are absolute. func ChecksumFromPaths(workdir string, paths ...string) ([]byte, error) { - hash := md5.New() + hash := sha256.New() // Can't compute hash if no file present noFile := true diff --git a/ignite/pkg/dirchange/dirchange_test.go b/ignite/pkg/dirchange/dirchange_test.go index d7a361ceef..cf5088082d 100644 --- a/ignite/pkg/dirchange/dirchange_test.go +++ b/ignite/pkg/dirchange/dirchange_test.go @@ -73,8 +73,8 @@ func TestHasDirChecksumChanged(t *testing.T) { paths := []string{dir1, dir2, dir3} checksum, err := dirchange.ChecksumFromPaths("", paths...) require.NoError(t, err) - // md5 checksum is 16 bytes - require.Len(t, checksum, 16) + // sha256 checksum is 32 bytes + require.Len(t, checksum, 32) // Checksum remains the same if a file is deleted and recreated with the same content err = os.Remove(filepath.Join(dir1, "foo")) diff --git a/ignite/pkg/localfs/save.go b/ignite/pkg/localfs/save.go index a06c984df6..cdebe00aac 100644 --- a/ignite/pkg/localfs/save.go +++ b/ignite/pkg/localfs/save.go @@ -71,6 +71,6 @@ func Save(f fs.FS, path string) error { return err } - return os.WriteFile(out, content, 0o644) + return os.WriteFile(out, content, 0o600) }) } diff --git a/ignite/pkg/matomo/matomo.go b/ignite/pkg/matomo/matomo.go index 4c05e5967d..d7e095f5c8 100644 --- a/ignite/pkg/matomo/matomo.go +++ b/ignite/pkg/matomo/matomo.go @@ -2,8 +2,10 @@ package matomo import ( + "crypto/rand" "fmt" - "math/rand" + "math" + "math/big" "net/http" "net/url" "strings" @@ -191,7 +193,7 @@ func (c Client) Send(params Params) error { func (c Client) SendMetric(sessionID string, metric Metric) error { var ( now = time.Now() - r = rand.New(rand.NewSource(now.Unix())) + r, _ = rand.Int(rand.Reader, big.NewInt(math.MaxInt64)) utmMedium = "dev" ) if !metric.BuildFromSource { diff --git a/ignite/pkg/randstr/randstr.go b/ignite/pkg/randstr/randstr.go index df2e27f230..ba4d72f920 100644 --- a/ignite/pkg/randstr/randstr.go +++ b/ignite/pkg/randstr/randstr.go @@ -1,7 +1,8 @@ package randstr import ( - "math/rand" + "crypto/rand" + "math/big" ) var letterRunes = []rune("abcdefghijklmnopqrstuvwxyz") @@ -10,7 +11,8 @@ var letterRunes = []rune("abcdefghijklmnopqrstuvwxyz") func Runes(n int) string { b := make([]rune, n) for i := range b { - b[i] = letterRunes[rand.Intn(len(letterRunes))] + num, _ := rand.Int(rand.Reader, big.NewInt(int64(len(letterRunes)))) + b[i] = letterRunes[num.Int64()] } return string(b) } diff --git a/ignite/pkg/swagger-combine/swagger-combine.go b/ignite/pkg/swagger-combine/swagger-combine.go index b44d144e94..c8cdb90a63 100644 --- a/ignite/pkg/swagger-combine/swagger-combine.go +++ b/ignite/pkg/swagger-combine/swagger-combine.go @@ -114,7 +114,7 @@ func (c *Config) Combine(out string) error { if err := os.MkdirAll(outDir, 0o766); err != nil { return err } - if err = os.WriteFile(out, specJSON, 0o644); err != nil { + if err = os.WriteFile(out, specJSON, 0o600); err != nil { return errors.Wrapf(err, "failed to write combined spec to file %s", out) } return nil diff --git a/ignite/pkg/tarball/tarball.go b/ignite/pkg/tarball/tarball.go index 5e7843d54d..77c8e706f4 100644 --- a/ignite/pkg/tarball/tarball.go +++ b/ignite/pkg/tarball/tarball.go @@ -5,6 +5,7 @@ import ( "compress/gzip" "io" "path/filepath" + "strings" "github.com/ignite/cli/v29/ignite/pkg/errors" ) @@ -16,6 +17,10 @@ var ( ErrNotGzipType = errors.New("file is not a gzip type") // ErrInvalidFileName the file name is invalid. ErrInvalidFileName = errors.New("invalid file name") + // ErrInvalidFilePath the file path is invalid. + ErrInvalidFilePath = errors.New("invalid file path") + // ErrFileTooLarge the file is too large to extract. + ErrFileTooLarge = errors.New("file too large to extract") ) // ExtractFile founds and reads a specific file into a gzip file and folders recursively. @@ -42,13 +47,23 @@ func ExtractFile(reader io.Reader, out io.Writer, fileName string) (string, erro return header.Name, err } + // Validate the file path + if !isValidPath(header.Name) { + return "", ErrInvalidFilePath + } + switch header.Typeflag { case tar.TypeDir: continue case tar.TypeReg: name := filepath.Base(header.Name) if fileName == name { - _, err := io.Copy(out, tarReader) + // Limit the size of the file to extract + if header.Size > 100<<20 { // 100 MB limit + return "", ErrFileTooLarge + } + limitedReader := io.LimitReader(tarReader, 1000<<20) // 1000 MB limit + _, err := io.Copy(out, limitedReader) return header.Name, err } default: @@ -56,3 +71,9 @@ func ExtractFile(reader io.Reader, out io.Writer, fileName string) (string, erro } } } + +// isValidPath checks for directory traversal attacks. +func isValidPath(filePath string) bool { + cleanPath := filepath.Clean(filePath) + return !strings.Contains(cleanPath, "..") +} diff --git a/ignite/services/chain/serve.go b/ignite/services/chain/serve.go index 9b1ebc5a09..99df738b80 100644 --- a/ignite/services/chain/serve.go +++ b/ignite/services/chain/serve.go @@ -9,6 +9,7 @@ import ( "path/filepath" "regexp" "strings" + "time" "github.com/otiai10/copy" "golang.org/x/sync/errgroup" @@ -566,8 +567,9 @@ func (c *Chain) runFaucetServer(ctx context.Context, faucet cosmosfaucet.Faucet) } return xhttp.Serve(ctx, &http.Server{ - Addr: chainconfig.FaucetHost(cfg), - Handler: faucet, + Addr: chainconfig.FaucetHost(cfg), + Handler: faucet, + ReadHeaderTimeout: 5 * time.Second, // Set a reasonable timeout }) } diff --git a/ignite/services/doctor/doctor.go b/ignite/services/doctor/doctor.go index ca18adba00..c18468148c 100644 --- a/ignite/services/doctor/doctor.go +++ b/ignite/services/doctor/doctor.go @@ -87,7 +87,7 @@ func (d *Doctor) MigrateConfig(_ context.Context) error { return errf(err) } - if err := os.WriteFile(configPath, buf.Bytes(), 0o755); err != nil { + if err := os.WriteFile(configPath, buf.Bytes(), 0o600); err != nil { return errf(errors.Errorf("config file migration failed: %w", err)) } @@ -231,7 +231,7 @@ func (d Doctor) ensureDependencyImports(toolsFilename string) (bool, error) { return false, err } - err = os.WriteFile(toolsFilename, buf.Bytes(), 0o644) + err = os.WriteFile(toolsFilename, buf.Bytes(), 0o600) if err != nil { return false, err } diff --git a/ignite/services/plugin/plugin.go b/ignite/services/plugin/plugin.go index 6955d14ab7..6ed818964e 100644 --- a/ignite/services/plugin/plugin.go +++ b/ignite/services/plugin/plugin.go @@ -300,7 +300,7 @@ func (p *Plugin) load(ctx context.Context) { p.client = hplugin.NewClient(cfg) } else { // Launch a new plugin process - cfg.Cmd = exec.Command(p.binaryPath()) + cfg.Cmd = exec.Command(p.binaryPath()) //nolint:gosec p.client = hplugin.NewClient(cfg) } diff --git a/ignite/templates/typed/singleton/singleton.go b/ignite/templates/typed/singleton/singleton.go index 11601ed959..c285309c67 100644 --- a/ignite/templates/typed/singleton/singleton.go +++ b/ignite/templates/typed/singleton/singleton.go @@ -1,9 +1,10 @@ package singleton import ( + "crypto/rand" "embed" "fmt" - "math/rand" + "math/big" "path/filepath" "strings" @@ -297,7 +298,11 @@ func genesisTestsModify(replacer placeholder.Replacer, opts *typed.Options) genn // Create a fields sampleFields := "" for _, field := range opts.Fields { - sampleFields += field.GenesisArgs(rand.Intn(100) + 1) + n, err := rand.Int(rand.Reader, big.NewInt(100)) + if err != nil { + return err + } + sampleFields += field.GenesisArgs(int(n.Int64()) + 1) } templateState := `%[2]v: &types.%[2]v{ @@ -336,7 +341,11 @@ func genesisTypesTestsModify(replacer placeholder.Replacer, opts *typed.Options) // Create a fields sampleFields := "" for _, field := range opts.Fields { - sampleFields += field.GenesisArgs(rand.Intn(100) + 1) + n, err := rand.Int(rand.Reader, big.NewInt(100)) + if err != nil { + return err + } + sampleFields += field.GenesisArgs(int(n.Int64()) + 1) } templateValid := `%[2]v: &types.%[2]v{ diff --git a/integration/app.go b/integration/app.go index a6bcd90783..d52e39e991 100644 --- a/integration/app.go +++ b/integration/app.go @@ -282,7 +282,7 @@ func (a App) EditConfig(apply func(*chainconfig.Config)) { bz, err := yaml.Marshal(conf) require.NoError(a.env.t, err) - err = os.WriteFile(a.configPath, bz, 0o644) + err = os.WriteFile(a.configPath, bz, 0o600) require.NoError(a.env.t, err) } diff --git a/integration/plugin/testdata/example-plugin/go.mod b/integration/plugin/testdata/example-plugin/go.mod index 1cbc0ada56..25d703423a 100644 --- a/integration/plugin/testdata/example-plugin/go.mod +++ b/integration/plugin/testdata/example-plugin/go.mod @@ -22,7 +22,7 @@ require ( github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect github.com/cockroachdb/redact v1.1.5 // indirect github.com/cosmos/btcutil v1.0.5 // indirect - github.com/cosmos/cosmos-sdk v0.50.7 // indirect + github.com/cosmos/cosmos-sdk v0.50.8 // indirect github.com/cyphar/filepath-securejoin v0.2.4 // indirect github.com/emirpasic/gods v1.18.1 // indirect github.com/fatih/color v1.16.0 // indirect @@ -79,18 +79,18 @@ require ( github.com/spf13/pflag v1.0.5 // indirect github.com/xanzy/ssh-agent v0.3.3 // indirect go.etcd.io/bbolt v1.3.9 // indirect - golang.org/x/crypto v0.23.0 // indirect + golang.org/x/crypto v0.24.0 // indirect golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect golang.org/x/mod v0.17.0 // indirect - golang.org/x/net v0.25.0 // indirect + golang.org/x/net v0.26.0 // indirect golang.org/x/sync v0.7.0 // indirect - golang.org/x/sys v0.20.0 // indirect - golang.org/x/term v0.20.0 // indirect - golang.org/x/text v0.15.0 // indirect - golang.org/x/tools v0.21.0 // indirect + golang.org/x/sys v0.21.0 // indirect + golang.org/x/term v0.21.0 // indirect + golang.org/x/text v0.16.0 // indirect + golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect - google.golang.org/grpc v1.64.0 // indirect + google.golang.org/grpc v1.64.1 // indirect google.golang.org/protobuf v1.34.1 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect