You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by as...@apache.org on 2021/11/24 12:52:55 UTC
[camel-k] 07/19: fix(gosec): potential file inclusion via variable (G304)
This is an automated email from the ASF dual-hosted git repository.
astefanutti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
commit 70b51b073515c66e2dd279a97201fa7f6ccd2352
Author: Luca Burgazzoli <lb...@gmail.com>
AuthorDate: Mon Nov 22 15:14:00 2021 +0100
fix(gosec): potential file inclusion via variable (G304)
---
.golangci.yml | 64 +++++++------------------
cmd/util/doc-gen/generators/traitdocgen.go | 6 +--
cmd/util/doc-gen/generators/traitmetadatagen.go | 3 +-
cmd/util/json-schema-gen/main.go | 5 +-
cmd/util/license-check/main.go | 6 +--
cmd/util/vfs-gen/main.go | 3 +-
pkg/builder/s2i.go | 5 +-
pkg/client/client.go | 3 +-
pkg/cmd/dump.go | 3 +-
pkg/cmd/init.go | 3 +-
pkg/cmd/run.go | 3 +-
pkg/cmd/util_content.go | 3 +-
pkg/cmd/util_sources.go | 3 +-
pkg/install/kamelets.go | 3 +-
pkg/install/secret.go | 5 +-
pkg/trait/environment.go | 2 +-
pkg/trait/openapi.go | 2 +-
pkg/util/camel/catalog.go | 3 +-
pkg/util/digest/digest.go | 5 +-
pkg/util/util.go | 23 +++++++--
20 files changed, 72 insertions(+), 81 deletions(-)
diff --git a/.golangci.yml b/.golangci.yml
index eb4e5e2..94f64cc 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -19,54 +19,22 @@ linters-settings:
lll:
line-length: 170
linters:
- disable-all: true
- enable:
- - asciicheck
- - bodyclose
- - deadcode
- - depguard
- - dogsled
- - durationcheck
- - errcheck
- - errname
- - errorlint
- - exportloopref
- - forcetypeassert
- - gocritic
- - gofmt
- - gofumpt
- - goheader
- - goimports
- - gomodguard
- - goprintffuncname
- - gosimple
- - govet
- - ifshort
- - importas
- - ineffassign
-# - lll
- - makezero
- - misspell
- - nakedret
- - nilerr
- - nolintlint
- - prealloc
- - promlinter
- - revive
- - rowserrcheck
- - sqlclosecheck
- - staticcheck
- - structcheck
- - stylecheck
- - thelper
- - tparallel
- - typecheck
- - unconvert
- - unparam
- - unused
- - varcheck
- - wastedassign
- - gosec
+ enable-all: true
+ disable:
+ - dupl
+ - forbidigo
+ - funlen
+ - gomoddirectives
+ - godox
+ - gomnd
+ - gochecknoinits
+ - gocognit
+ - godot
+ - lll
+ - nestif
+ - cyclop
+ - exhaustivestruct
+ - gochecknoglobals
issues:
exclude-rules:
diff --git a/cmd/util/doc-gen/generators/traitdocgen.go b/cmd/util/doc-gen/generators/traitdocgen.go
index f695b69..93c20c5 100644
--- a/cmd/util/doc-gen/generators/traitdocgen.go
+++ b/cmd/util/doc-gen/generators/traitdocgen.go
@@ -19,8 +19,8 @@ package generators
import (
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io"
- "io/ioutil"
"os"
"path"
"reflect"
@@ -275,11 +275,11 @@ func split(doc []string, startMarker, endMarker string) (pre []string, post []st
}
func readFile(filename string) (file *os.File, content []string, err error) {
- if file, err = os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0o777); err != nil {
+ if file, err = util.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0o777); err != nil {
return file, content, err
}
- bytes, err := ioutil.ReadFile(filename)
+ bytes, err := util.ReadFile(filename)
if err != nil {
return file, content, err
}
diff --git a/cmd/util/doc-gen/generators/traitmetadatagen.go b/cmd/util/doc-gen/generators/traitmetadatagen.go
index 3dffe87..5358883 100644
--- a/cmd/util/doc-gen/generators/traitmetadatagen.go
+++ b/cmd/util/doc-gen/generators/traitmetadatagen.go
@@ -19,6 +19,7 @@ package generators
import (
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io"
"os"
"path"
@@ -94,7 +95,7 @@ func (g *traitMetaDataGen) Finalize(c *generator.Context, w io.Writer) error {
var file *os.File
var err error
- if file, err = os.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0o777); err != nil {
+ if file, err = util.OpenFile(filename, os.O_RDWR|os.O_CREATE, 0o777); err != nil {
return err
}
if err = file.Truncate(0); err != nil {
diff --git a/cmd/util/json-schema-gen/main.go b/cmd/util/json-schema-gen/main.go
index 8d03510..27bebd7 100644
--- a/cmd/util/json-schema-gen/main.go
+++ b/cmd/util/json-schema-gen/main.go
@@ -20,6 +20,7 @@ package main
import (
"encoding/json"
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io/ioutil"
"os"
"reflect"
@@ -122,7 +123,7 @@ func rebaseRefs(schema map[string]interface{}) {
}
func loadDslSchema(filename string) (map[string]interface{}, error) {
- bytes, err := ioutil.ReadFile(filename)
+ bytes, err := util.ReadFile(filename)
if err != nil {
return nil, err
}
@@ -134,7 +135,7 @@ func loadDslSchema(filename string) (map[string]interface{}, error) {
}
func loadCrdSchema(filename string) (*apiextensionsv1.JSONSchemaProps, error) {
- bytes, err := ioutil.ReadFile(filename)
+ bytes, err := util.ReadFile(filename)
if err != nil {
return nil, err
}
diff --git a/cmd/util/license-check/main.go b/cmd/util/license-check/main.go
index bcf5960..ae94655 100644
--- a/cmd/util/license-check/main.go
+++ b/cmd/util/license-check/main.go
@@ -19,7 +19,7 @@ package main
import (
"fmt"
- "io/ioutil"
+ "github.com/apache/camel-k/pkg/util"
"os"
"strings"
)
@@ -33,14 +33,14 @@ func main() {
fileName := os.Args[1]
licenseName := os.Args[2]
- fileBin, err := ioutil.ReadFile(fileName)
+ fileBin, err := util.ReadFile(fileName)
if err != nil {
os.Stderr.WriteString(fmt.Sprintf("cannot read file %s: %v\n", fileName, err))
os.Exit(1)
}
file := string(fileBin)
- licenseBin, err := ioutil.ReadFile(licenseName)
+ licenseBin, err := util.ReadFile(licenseName)
if err != nil {
os.Stderr.WriteString(fmt.Sprintf("cannot read file %s: %v\n", licenseName, err))
os.Exit(1)
diff --git a/cmd/util/vfs-gen/main.go b/cmd/util/vfs-gen/main.go
index 3a01401..89b9cd8 100644
--- a/cmd/util/vfs-gen/main.go
+++ b/cmd/util/vfs-gen/main.go
@@ -20,6 +20,7 @@ package main
import (
"flag"
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io/ioutil"
"log"
"net/http"
@@ -139,7 +140,7 @@ limitations under the License.
*/
`
- content, err := ioutil.ReadFile(resourceFile)
+ content, err := util.ReadFile(resourceFile)
if err != nil {
log.Fatalln(err)
}
diff --git a/pkg/builder/s2i.go b/pkg/builder/s2i.go
index 00a6fdf..42669a7 100644
--- a/pkg/builder/s2i.go
+++ b/pkg/builder/s2i.go
@@ -22,6 +22,7 @@ import (
"compress/gzip"
"context"
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io"
"io/ioutil"
"os"
@@ -171,7 +172,7 @@ func (t *s2iTask) Do(ctx context.Context) v1.BuildStatus {
return status.Failed(errors.Wrap(err, "cannot tar context directory"))
}
- resource, err := ioutil.ReadFile(archive)
+ resource, err := util.ReadFile(archive)
if err != nil {
return status.Failed(errors.Wrap(err, "cannot read tar file "+archive))
}
@@ -321,7 +322,7 @@ func tarDir(src string, writers ...io.Writer) error {
return err
}
- f, err := os.Open(file)
+ f, err := util.Open(file)
if err != nil {
return err
}
diff --git a/pkg/client/client.go b/pkg/client/client.go
index f38f43a..f806266 100644
--- a/pkg/client/client.go
+++ b/pkg/client/client.go
@@ -19,6 +19,7 @@ package client
import (
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io/ioutil"
"os"
"path/filepath"
@@ -231,7 +232,7 @@ func GetCurrentNamespace(kubeconfig string) (string, error) {
return "default", nil
}
- data, err := ioutil.ReadFile(kubeconfig)
+ data, err := util.ReadFile(kubeconfig)
if err != nil {
return "", err
}
diff --git a/pkg/cmd/dump.go b/pkg/cmd/dump.go
index 9ffba00..fcdc6da 100644
--- a/pkg/cmd/dump.go
+++ b/pkg/cmd/dump.go
@@ -21,6 +21,7 @@ import (
"bufio"
"context"
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io"
"os"
@@ -61,7 +62,7 @@ func (o *dumpCmdOptions) dump(cmd *cobra.Command, args []string) error {
}
if len(args) == 1 {
fileName := args[0]
- writer, err := os.OpenFile(fileName, os.O_RDWR|os.O_CREATE, 0o777)
+ writer, err := util.OpenFile(fileName, os.O_RDWR|os.O_CREATE, 0o777)
if err != nil {
return err
}
diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
index 7c48947..0b30b0b 100644
--- a/pkg/cmd/init.go
+++ b/pkg/cmd/init.go
@@ -19,6 +19,7 @@ package cmd
import (
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"os"
"path/filepath"
"strings"
@@ -98,7 +99,7 @@ func (o *initCmdOptions) writeFromTemplate(language v1.Language, fileName string
if err != nil {
return err
}
- out, err := os.OpenFile(fileName, os.O_RDWR|os.O_CREATE, 0o777)
+ out, err := util.OpenFile(fileName, os.O_RDWR|os.O_CREATE, 0o777)
if err != nil {
return err
}
diff --git a/pkg/cmd/run.go b/pkg/cmd/run.go
index 1d9063e..261c530 100644
--- a/pkg/cmd/run.go
+++ b/pkg/cmd/run.go
@@ -21,7 +21,6 @@ import (
"context"
"encoding/json"
"fmt"
- "io/ioutil"
"os"
"os/signal"
"path"
@@ -754,7 +753,7 @@ func (o *runCmdOptions) configureTraits(integration *v1.Integration, options []s
}
func loadPropertyFile(fileName string) (*properties.Properties, error) {
- file, err := ioutil.ReadFile(fileName)
+ file, err := util.ReadFile(fileName)
if err != nil {
return nil, err
}
diff --git a/pkg/cmd/util_content.go b/pkg/cmd/util_content.go
index 84edd4c..9611ae1 100644
--- a/pkg/cmd/util_content.go
+++ b/pkg/cmd/util_content.go
@@ -19,6 +19,7 @@ package cmd
import (
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io/ioutil"
"net/http"
"net/url"
@@ -50,7 +51,7 @@ func loadRawContent(source string) ([]byte, string, error) {
}
if ok {
- content, err = ioutil.ReadFile(source)
+ content, err = util.ReadFile(source)
} else {
var u *url.URL
u, err = url.Parse(source)
diff --git a/pkg/cmd/util_sources.go b/pkg/cmd/util_sources.go
index 3be66de..fc9e624 100644
--- a/pkg/cmd/util_sources.go
+++ b/pkg/cmd/util_sources.go
@@ -20,7 +20,6 @@ package cmd
import (
"context"
"fmt"
- "io/ioutil"
"net/http"
"net/url"
"os"
@@ -206,7 +205,7 @@ func ResolveLocalSource(location string, compress bool) (Source, error) {
Local: true,
}
- content, err := ioutil.ReadFile(location)
+ content, err := util.ReadFile(location)
if err != nil {
return Source{}, err
}
diff --git a/pkg/install/kamelets.go b/pkg/install/kamelets.go
index a8a4dfe..2641003 100644
--- a/pkg/install/kamelets.go
+++ b/pkg/install/kamelets.go
@@ -20,6 +20,7 @@ package install
import (
"context"
"fmt"
+ "github.com/apache/camel-k/pkg/util"
"io/ioutil"
"os"
"path"
@@ -66,7 +67,7 @@ func KameletCatalog(ctx context.Context, c client.Client, namespace string) erro
continue
}
- content, err := ioutil.ReadFile(path.Join(kameletDir, file.Name()))
+ content, err := util.ReadFile(path.Join(kameletDir, file.Name()))
if err != nil {
return err
}
diff --git a/pkg/install/secret.go b/pkg/install/secret.go
index 6d403bf..016b336 100644
--- a/pkg/install/secret.go
+++ b/pkg/install/secret.go
@@ -19,8 +19,7 @@ package install
import (
"context"
- "io/ioutil"
-
+ "github.com/apache/camel-k/pkg/util"
v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -43,7 +42,7 @@ func RegistrySecretOrCollect(ctx context.Context, c client.Client, namespace str
// RegistrySecretFromFileOrCollect generates a secret from a docker-config.json file and creates it on the cluster (or appends it to the collection)
func RegistrySecretFromFileOrCollect(ctx context.Context, c client.Client, namespace string, file string, collection *kubernetes.Collection, force bool) (string, error) {
- secretData, err := ioutil.ReadFile(file)
+ secretData, err := util.ReadFile(file)
if err != nil {
return "", err
}
diff --git a/pkg/trait/environment.go b/pkg/trait/environment.go
index b4ebfa8..ead510f 100644
--- a/pkg/trait/environment.go
+++ b/pkg/trait/environment.go
@@ -48,7 +48,7 @@ const (
// pkg/trait/environment.go:41: G101: Potential hardcoded credentials (gosec)
// envVarMountPathSecrets = "CAMEL_K_MOUNT_PATH_SECRETS"
//
- // nolint: gosec
+ // #nosec G101
envVarMountPathSecrets = "CAMEL_K_MOUNT_PATH_SECRETS"
)
diff --git a/pkg/trait/openapi.go b/pkg/trait/openapi.go
index 1048f30..6a7a9ed 100644
--- a/pkg/trait/openapi.go
+++ b/pkg/trait/openapi.go
@@ -239,7 +239,7 @@ func (t *openAPITrait) createNewOpenAPIConfigMap(e *Environment, resource v1.Res
return err
}
- content, err = ioutil.ReadFile(out)
+ content, err = util.ReadFile(out)
if err != nil {
return err
}
diff --git a/pkg/util/camel/catalog.go b/pkg/util/camel/catalog.go
index 97c71a4..81dac2e 100644
--- a/pkg/util/camel/catalog.go
+++ b/pkg/util/camel/catalog.go
@@ -19,6 +19,7 @@ package camel
import (
"context"
+ "github.com/apache/camel-k/pkg/util"
"io/ioutil"
"os"
"path"
@@ -137,7 +138,7 @@ func GenerateCatalogCommon(
return nil, err
}
- content, err := ioutil.ReadFile(path.Join(tmpDir, "catalog.yaml"))
+ content, err := util.ReadFile(path.Join(tmpDir, "catalog.yaml"))
if err != nil {
return nil, err
}
diff --git a/pkg/util/digest/digest.go b/pkg/util/digest/digest.go
index 6b2bf59..f364b5c 100644
--- a/pkg/util/digest/digest.go
+++ b/pkg/util/digest/digest.go
@@ -25,7 +25,6 @@ import (
"encoding/json"
"fmt"
"io"
- "os"
"path"
"sort"
"strconv"
@@ -263,13 +262,13 @@ func sortedTraitAnnotationsKeys(it *v1.Integration) []string {
func ComputeSHA1(elem ...string) (string, error) {
file := path.Join(elem...)
- f, err := os.Open(file)
+ f, err := util.Open(file)
if err != nil {
return "", err
}
defer f.Close()
- // nolint: gosec
+ // #nosec G401
h := sha1.New()
if _, err := io.Copy(h, f); err != nil {
return "", err
diff --git a/pkg/util/util.go b/pkg/util/util.go
index 274ef2d..4d10edc 100644
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@@ -26,6 +26,7 @@ import (
"io/ioutil"
"os"
"path"
+ "path/filepath"
"regexp"
"sort"
"strings"
@@ -217,7 +218,7 @@ func CopyFile(src, dst string) (int64, error) {
return 0, fmt.Errorf("%s is not a regular file", src)
}
- source, err := os.Open(src)
+ source, err := Open(src)
if err != nil {
return 0, err
}
@@ -228,7 +229,7 @@ func CopyFile(src, dst string) (int64, error) {
return 0, err
}
- destination, err := os.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, stat.Mode())
+ destination, err := OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, stat.Mode())
if err != nil {
return 0, err
}
@@ -320,7 +321,7 @@ func DirectoryExists(directory string) (bool, error) {
}
func DirectoryEmpty(directory string) (bool, error) {
- f, err := os.Open(directory)
+ f, err := Open(directory)
if err != nil {
return false, err
}
@@ -761,3 +762,19 @@ func CopyAppFile(localDependenciesDirectory string, localAppDirectory string) er
return nil
}
+
+// Open a safe wrapper of os.Open.
+func Open(name string) (*os.File, error) {
+ return os.Open(filepath.Clean(name))
+}
+
+// OpenFile a safe wrapper of os.OpenFile.
+func OpenFile(name string, flag int, perm os.FileMode) (*os.File, error) {
+ // #nosec G304
+ return os.OpenFile(filepath.Clean(name), flag, perm)
+}
+
+// ReadFile a safe wrapper of os.ReadFile.
+func ReadFile(filename string) ([]byte, error) {
+ return os.ReadFile(filepath.Clean(filename))
+}