GitList

Browse code

Fix gosec complaints in libnetwork

These were purposefully ignored before but this goes ahead and "fixes"
most of them.
Note that none of the things gosec flagged are problematic, just
quieting the linter here.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

Brian Goff authored on 2021/06/19 07:20:06
Showing 10 changed files

libnetwork/cmd/diagnostic/main.go index ca74146..a255b22 100644
libnetwork/drivers/bridge/setup_verify.go index 00baa64..f022e17 100644
libnetwork/drivers/overlay/encryption.go index 5527b8f..9bffba4 100644
libnetwork/drivers/overlay/peerdb.go index 6b5df0a..d0ff640 100644
libnetwork/endpoint_info.go index 0e20bd3..7c04f94 100644
libnetwork/networkdb/cluster.go index 837ec9a..b388cae 100644
libnetwork/resolver.go index 3162455..71a2f20 100644
libnetwork/resolver_unix.go index 92b1dfe..fac1c72 100644
libnetwork/sandbox_dns_unix.go index bc19aba..9bf31ca 100644
libnetwork/service_linux.go index 18516dd..08010aa 100644

libnetwork/cmd/diagnostic/main.go

History View file @ 116f200

@@ -117,7 +117,7 @@ func fetchNodePeers(ip string, port int, network string) map[string]string {
 		path = fmt.Sprintf(clusterPeers, ip, port)
 	}
 
-	resp, err := http.Get(path) // nolint:gosec
+	resp, err := http.Get(path) //nolint:gosec // G107: Potential HTTP request made with variable url
 	if err != nil {
 		logrus.WithError(err).Fatalf("Failed fetching path")
 	}

libnetwork/drivers/bridge/setup_verify.go

History View file @ 116f200

@@ -39,8 +39,9 @@ func setupVerifyAndReconcile(config *networkConfiguration, i *bridgeInterface) e
                      	// Release any residual IPv6 address that might be there because of older daemon instances
                      	for _, addrv6 := range addrsv6 {
                     +		addrv6 := addrv6
                      		if addrv6.IP.IsGlobalUnicast() && !types.CompareIPNet(addrv6.IPNet, i.bridgeIPv6) {
                     -			if err := i.nlh.AddrDel(i.Link, &addrv6); err != nil { // nolint:gosec
                     +			if err := i.nlh.AddrDel(i.Link, &addrv6); err != nil {
                      				logrus.Warnf("Failed to remove residual IPv6 address %s from bridge: %v", addrv6.IPNet, err)
+                     			}
+                     		}

libnetwork/drivers/overlay/encryption.go

History View file @ 116f200

@@ -628,8 +628,9 @@ func clearEncryptionStates() {
 		logrus.Warnf("Failed to retrieve SA list for cleanup: %v", err)
 	}
 	for _, sp := range spList {
+		sp := sp
 		if sp.Mark != nil && sp.Mark.Value == spMark.Value {
-			if err := nlh.XfrmPolicyDel(&sp); err != nil { // nolint:gosec
+			if err := nlh.XfrmPolicyDel(&sp); err != nil {
 				logrus.Warnf("Failed to delete stale SP %s: %v", sp, err)
 				continue
 			}
@@ -637,8 +638,9 @@ func clearEncryptionStates() {
 		}
 	}
 	for _, sa := range saList {
+		sa := sa
 		if sa.Reqid == r {
-			if err := nlh.XfrmStateDel(&sa); err != nil { // nolint:gosec
+			if err := nlh.XfrmStateDel(&sa); err != nil {
 				logrus.Warnf("Failed to delete stale SA %s: %v", sa, err)
 				continue
 			}

libnetwork/drivers/overlay/peerdb.go

History View file @ 116f200

@@ -131,10 +131,11 @@ func (d *driver) peerDbNetworkWalk(nid string, f func(*peerKey, *peerEntry) bool
 
 	for pKeyStr, pEntry := range mp {
 		var pKey peerKey
+		pEntry := pEntry
 		if _, err := fmt.Sscan(pKeyStr, &pKey); err != nil {
 			logrus.Warnf("Peer key scan on network %s failed: %v", nid, err)
 		}
-		if f(&pKey, &pEntry) { // nolint:gosec
+		if f(&pKey, &pEntry) {
 			return nil
 		}
 	}

libnetwork/endpoint_info.go

History View file @ 116f200

@@ -448,7 +448,8 @@ func (epj *endpointJoinInfo) UnmarshalJSON(b []byte) error {
 	}
 	var StaticRoutes []*types.StaticRoute
 	for _, r := range tStaticRoute {
-		StaticRoutes = append(StaticRoutes, &r) // nolint:gosec
+		r := r
+		StaticRoutes = append(StaticRoutes, &r)
 	}
 	epj.StaticRoutes = StaticRoutes
 

libnetwork/networkdb/cluster.go

History View file @ 116f200

@@ -244,7 +244,7 @@ func (nDB *NetworkDB) clusterLeave() error {
                      func (nDB *NetworkDB) triggerFunc(stagger time.Duration, C <-chan time.Time, f func()) {
                      	// Use a random stagger to avoid synchronizing
                     -	randStagger := time.Duration(uint64(rnd.Int63()) % uint64(stagger)) // nolint:gosec
                     +	randStagger := time.Duration(uint64(rnd.Int63()) % uint64(stagger)) //nolint:gosec // gosec complains about the use of rand here. It should be fine.
                      	select {
                      	case <-time.After(randStagger):
                      	case <-nDB.ctx.Done():

libnetwork/resolver.go

History View file @ 116f200

@@ -214,7 +214,7 @@ func setCommonFlags(msg *dns.Msg) {
                      func shuffleAddr(addr []net.IP) []net.IP {
                      	for i := len(addr) - 1; i > 0; i-- {
                     -		r := rand.Intn(i + 1) // nolint:gosec
                     +		r := rand.Intn(i + 1) // nolint:gosec // gosec complains about the use of rand here. It should be fine.
                      		addr[i], addr[r] = addr[r], addr[i]
+                     	}
                      	return addr

libnetwork/resolver_unix.go

History View file @ 116f200

@@ -49,7 +49,7 @@ func reexecSetupResolver() {
                      		logrus.Errorf("failed get network namespace %q: %v", os.Args[1], err)
                      		os.Exit(2)
+                     	}
                     -	defer f.Close() // nolint:gosec
                     +	defer f.Close() //nolint:gosec
                      	nsFD := f.Fd()
                      	if err = netns.Set(netns.NsHandle(nsFD)); err != nil {

libnetwork/sandbox_dns_unix.go

History View file @ 116f200

@@ -322,7 +322,7 @@ func (sb *sandbox) updateDNS(ipv6Enabled bool) error {
 	if err != nil {
 		return err
 	}
-	err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) // nolint:gosec
+	err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) //nolint:gosec // gosec complains about perms here, which must be 0644 in this case
 	if err != nil {
 		return err
 	}

libnetwork/service_linux.go

History View file @ 116f200

@@ -378,7 +378,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
+                     		}
                      		path := filepath.Join("/proc/sys/net/ipv4/conf", oifName, "route_localnet")
                     -		if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { // nolint:gosec
                     +		if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { //nolint:gosec // gosec complains about perms here, which must be 0644 in this case
                      			return fmt.Errorf("could not write to %s: %v", path, err)
+                     		}
@@ -542,7 +542,7 @@ func writePortsToFile(ports []*PortConfig) (string, error) {
                      	if err != nil {
                      		return "", err
+                     	}
                     -	defer f.Close() // nolint:gosec
                     +	defer f.Close() //nolint:gosec
                      	buf, _ := proto.Marshal(&EndpointRecord{
                      		IngressPorts: ports,

...	...	@@ -117,7 +117,7 @@ func fetchNodePeers(ip string, port int, network string) map[string]string {
117	117	path = fmt.Sprintf(clusterPeers, ip, port)
118	118	}
119	119
120		- resp, err := http.Get(path) // nolint:gosec
	120	+ resp, err := http.Get(path) //nolint:gosec // G107: Potential HTTP request made with variable url
121	121	if err != nil {
122	122	logrus.WithError(err).Fatalf("Failed fetching path")
123	123	}

...	...	@@ -628,8 +628,9 @@ func clearEncryptionStates() {
628	628	logrus.Warnf("Failed to retrieve SA list for cleanup: %v", err)
629	629	}
630	630	for _, sp := range spList {
	631	+ sp := sp
631	632	if sp.Mark != nil && sp.Mark.Value == spMark.Value {
632		- if err := nlh.XfrmPolicyDel(&sp); err != nil { // nolint:gosec
	633	+ if err := nlh.XfrmPolicyDel(&sp); err != nil {
633	634	logrus.Warnf("Failed to delete stale SP %s: %v", sp, err)
634	635	continue
635	636	}
...	...	@@ -637,8 +638,9 @@ func clearEncryptionStates() {
637	637	}
638	638	}
639	639	for _, sa := range saList {
	640	+ sa := sa
640	641	if sa.Reqid == r {
641		- if err := nlh.XfrmStateDel(&sa); err != nil { // nolint:gosec
	642	+ if err := nlh.XfrmStateDel(&sa); err != nil {
642	643	logrus.Warnf("Failed to delete stale SA %s: %v", sa, err)
643	644	continue
644	645	}

...	...	@@ -131,10 +131,11 @@ func (d driver) peerDbNetworkWalk(nid string, f func(peerKey, *peerEntry) bool
131	131
132	132	for pKeyStr, pEntry := range mp {
133	133	var pKey peerKey
	134	+ pEntry := pEntry
134	135	if _, err := fmt.Sscan(pKeyStr, &pKey); err != nil {
135	136	logrus.Warnf("Peer key scan on network %s failed: %v", nid, err)
136	137	}
137		- if f(&pKey, &pEntry) { // nolint:gosec
	138	+ if f(&pKey, &pEntry) {
138	139	return nil
139	140	}
140	141	}

...	...	@@ -448,7 +448,8 @@ func (epj *endpointJoinInfo) UnmarshalJSON(b []byte) error {
448	448	}
449	449	var StaticRoutes []*types.StaticRoute
450	450	for _, r := range tStaticRoute {
451		- StaticRoutes = append(StaticRoutes, &r) // nolint:gosec
	451	+ r := r
	452	+ StaticRoutes = append(StaticRoutes, &r)
452	453	}
453	454	epj.StaticRoutes = StaticRoutes
454	455

...	...	@@ -322,7 +322,7 @@ func (sb *sandbox) updateDNS(ipv6Enabled bool) error {
322	322	if err != nil {
323	323	return err
324	324	}
325		- err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) // nolint:gosec
	325	+ err = ioutil.WriteFile(sb.config.resolvConfPath, newRC.Content, 0644) //nolint:gosec // gosec complains about perms here, which must be 0644 in this case
326	326	if err != nil {
327	327	return err
328	328	}