Fixed issues from gosec

uniget-org · Nov 7, 2023 · 324d03a · 324d03a
1 parent 51af88f
commit 324d03a
Show file tree

Hide file tree

Showing 8 changed files with 24 additions and 18 deletions.
diff --git a/cmd/uniget/cron.go b/cmd/uniget/cron.go
@@ -75,14 +75,14 @@ func createCron() error {
 
 	// Write cronUpdateScript to /etc/cron.daily/uniget-update
 	updateScript := []byte(cronUpdateScript)
-	err = os.WriteFile(fmt.Sprintf("%s/uniget-update", cronDailyPath), updateScript, 0755)
+	err = os.WriteFile(fmt.Sprintf("%s/uniget-update", cronDailyPath), updateScript, 0755) // #nosec G306 -- File must be executable
 	if err != nil {
 		return fmt.Errorf("cannot write cron update script: %w", err)
 	}
 
 	// Write cronUpgradeScript to /etc/cron.weekly/uniget-upgrade
 	upgradeScript := []byte(cronUpgradeScript)
-	err = os.WriteFile(fmt.Sprintf("%s/uniget-upgrade", cronWeeklyPath), upgradeScript, 0755)
+	err = os.WriteFile(fmt.Sprintf("%s/uniget-upgrade", cronWeeklyPath), upgradeScript, 0755) // #nosec G306 -- File must be executable
 	if err != nil {
 		return fmt.Errorf("cannot write cron upgrade script: %w", err)
 	}

diff --git a/cmd/uniget/install.go b/cmd/uniget/install.go
@@ -80,7 +80,7 @@ var installCmd = &cobra.Command{
 
 		} else if filename != "" {
 			logging.Debug.Printfln("Adding tools from file %s to requested tools", filename)
-			data, err := os.ReadFile(filename)
+			data, err := os.ReadFile(filename) // #nosec G304 -- Accept file from arbitrary location
 			if err != nil {
 				return fmt.Errorf("unable to read file %s: %s", filename, err)
 			}

diff --git a/cmd/uniget/main.go b/cmd/uniget/main.go
@@ -90,7 +90,7 @@ func assertWritableTarget() {
 
 func assertDirectory(directory string) {
 	logging.Debug.Printfln("Creating directory %s", directory)
-	err := os.MkdirAll(directory, 0755)
+	err := os.MkdirAll(directory, 0755) // #nosec G301 -- Directories will contain public information
 	if err != nil {
 		logging.Error.Printfln("Error creating directory %s: %s", directory, err)
 		os.Exit(1)

diff --git a/cmd/uniget/postinstall.go b/cmd/uniget/postinstall.go
@@ -63,7 +63,7 @@ func postinstall() error {
 			logging.Info.Printfln("Running post_install script %s", file.Name())
 
 			logging.Debug.Printfln("Running pre_install script %s", "/"+libDirectory+"/pre_install/"+file.Name())
-			cmd := exec.Command("/bin/bash", "/"+libDirectory+"/post_install/"+file.Name())
+			cmd := exec.Command("/bin/bash", "/"+libDirectory+"/post_install/"+file.Name()) // #nosec G204 -- Tool images are a trusted source
 			cmd.Env = append(os.Environ(),
 				"prefix=",
 				"target=/"+target,
@@ -87,21 +87,21 @@ func postinstall() error {
 	// Add shim for profile.d
 	profileDScript := strings.Replace(postinstallProfileDScript, "${target}", "/"+target, -1)
 	err := os.WriteFile(
-		prefix + "/etc/profile.d/uniget-profile.d.sh",
+		prefix+"/etc/profile.d/uniget-profile.d.sh",
 		[]byte(profileDScript),
 		0644,
-	)
+	) // #nosec G306 -- File must be executable
 	if err != nil {
 		return fmt.Errorf("cannot write profile.d shim: %w", err)
 	}
 
 	// Add shim for completion
 	completionScript := strings.Replace(postinstallCompletionScript, "${target}", "/"+target, -1)
 	err = os.WriteFile(
-		prefix + "/etc/profile.d/uniget-completion.sh",
+		prefix+"/etc/profile.d/uniget-completion.sh",
 		[]byte(completionScript),
 		0644,
-	)
+	) // #nosec G306 -- File must be executable
 	if err != nil {
 		return fmt.Errorf("cannot write completion shim: %w", err)
 	}

diff --git a/pkg/archive/new.go b/pkg/archive/new.go
@@ -76,7 +76,7 @@ func ExtractTarGz(gzipStream io.Reader) error {
 			log.Tracef("Creating directory %s\n", header.Name)
 			_, err := os.Stat(header.Name)
 			if err != nil {
-				err := os.Mkdir(header.Name, 0755)
+				err := os.Mkdir(header.Name, 0755) // #nosec G301 -- Tools must be world readable
 				if err != nil {
 					return fmt.Errorf("ExtractTarGz: Mkdir() failed: %s", err.Error())
 				}
@@ -90,13 +90,16 @@ func ExtractTarGz(gzipStream io.Reader) error {
 			}
 			if _, err := io.Copy(outFile, tarReader); err != nil {
 				return fmt.Errorf("ExtractTarGz: Copy() failed: %s", err.Error())
-			}
+			} // #nosec G110 -- Tool images are a trusted source
 			mode := os.FileMode(header.Mode)
 			err = outFile.Chmod(mode)
 			if err != nil {
 				return fmt.Errorf("ExtractTarGz: Chmod() failed: %s", err.Error())
 			}
-			outFile.Close()
+			err = outFile.Close()
+			if err != nil {
+				return fmt.Errorf("ExtractTarGz: Failed to close %s: %s", header.Name, err.Error())
+			}
 
 		case tar.TypeSymlink:
 			log.Tracef("Untarring symlink %s\n", header.Name)
@@ -109,7 +112,7 @@ func ExtractTarGz(gzipStream io.Reader) error {
 
 				absHeaderLinkname := header.Linkname
 				if !filepath.IsAbs(header.Linkname) {
-					absHeaderLinkname = filepath.Join(filepath.Dir(header.Name), header.Linkname)
+					absHeaderLinkname = filepath.Join(filepath.Dir(header.Name), header.Linkname) // #nosec G305 -- Following code prevents traversal
 				}
 				log.Tracef("Absolute symlink target is %s\n", absHeaderLinkname)
 				err = pathIsInsideTarget(target, absHeaderLinkname)
@@ -136,7 +139,10 @@ func ExtractTarGz(gzipStream io.Reader) error {
 			}
 			if os.IsNotExist(err) {
 				log.Debugf("Target of link %s does not exist\n", header.Name)
-				os.Remove(header.Name)
+				err = os.Remove(header.Name)
+				if err != nil {
+					return fmt.Errorf("ExtractTarGz: Remove() failed for TypeLink: %s", err.Error())
+				}
 
 				err = os.Link(header.Linkname, header.Name)
 				if err != nil {

diff --git a/pkg/os/distribution.go b/pkg/os/distribution.go
@@ -9,7 +9,7 @@ import (
 )
 
 func GetOsVendor(prefix string) (string, error) {
-	f, err := os.Open(prefix + "/etc/os-release")
+	f, err := os.Open(prefix + "/etc/os-release") // #nosec G304 -- Prefix is the subdir uniget operates on
 	if err != nil {
 		return "", fmt.Errorf("cannot read /etc/os-release: %w", err)
 	}

diff --git a/pkg/tool/load.go b/pkg/tool/load.go
@@ -7,7 +7,7 @@ import (
 )
 
 func LoadFromFile(filename string) (Tools, error) {
-	data, err := os.ReadFile(filename)
+	data, err := os.ReadFile(filename) // #nosec G304 -- filename is built when LoadFromFile is called
 	if err != nil {
 		return Tools{}, fmt.Errorf("error loading file contents: %s", err)
 	}

diff --git a/pkg/tool/tool.go b/pkg/tool/tool.go
@@ -161,7 +161,7 @@ func (tool *Tool) GetMarkerFileStatus(markerFileDirectory string) error {
 func (tool *Tool) CreateMarkerFile(markerFileDirectory string) error {
 	log.Tracef("Creating marker file for %s", tool.Name)
 
-	err := os.MkdirAll(fmt.Sprintf("%s/%s", markerFileDirectory, tool.Name), 0755)
+	err := os.MkdirAll(fmt.Sprintf("%s/%s", markerFileDirectory, tool.Name), 0755) // #nosec G301 -- Public information
 	if err != nil {
 		return fmt.Errorf("unable to create marker file directory for %s: %s", tool.Name, err)
 	}
@@ -189,7 +189,7 @@ func (tool *Tool) RemoveMarkerFile(markerFileDirectory string) error {
 
 func (tool *Tool) RunVersionCheck() (string, error) {
 	log.Tracef("Running version check for %s: %s", tool.Name, tool.Check)
-	cmd := exec.Command("/bin/bash", "-c", tool.Check+" | tr -d '\n'")
+	cmd := exec.Command("/bin/bash", "-c", tool.Check+" | tr -d '\n'") // #nosec G204 -- Tool images are a trusted source
 	version, err := cmd.Output()
 	if err != nil {
 		return "", fmt.Errorf("unable to execute version check (%s): %s", tool.Check, err)