From 97879670c17988743d06a7ccb5794ecf77dea9c6 Mon Sep 17 00:00:00 2001 From: Shane C Date: Fri, 13 Sep 2024 17:10:47 -0400 Subject: [PATCH] fix gosec issues --- cmd/daemon.go | 69 +++++++++++++++++++++++++++------------------------ 1 file changed, 36 insertions(+), 33 deletions(-) diff --git a/cmd/daemon.go b/cmd/daemon.go index d09e9c4..f6702ef 100644 --- a/cmd/daemon.go +++ b/cmd/daemon.go @@ -62,22 +62,6 @@ jobs: uses: {{.ServerURL}}/actions/goscan@main ` -type OpenPGPEntity struct { - *openpgp.Entity -} - -func (e *OpenPGPEntity) Sign(message io.Reader) ([]byte, error) { - - signatureBuffer := bytes.NewBuffer(nil) - if err := openpgp.DetachSignText(signatureBuffer, e.Entity, message, nil); err != nil { - return nil, err - } - - return signatureBuffer.Bytes(), nil -} - -// Sign(message io.Reader) ([]byte, error) - // daemonCmd represents the daemon command var daemonCmd = &cobra.Command{ Use: "daemon", @@ -100,7 +84,7 @@ var daemonCmd = &cobra.Command{ DefaultCipher: packet.CipherAES256, } - var pgpEntity OpenPGPEntity + var pgpEntity *openpgp.Entity if _, err := os.Stat(os.Getenv("HOME") + "/keyring.pgp"); err != nil { if errors.Is(err, fs.ErrNotExist) { @@ -114,14 +98,22 @@ var daemonCmd = &cobra.Command{ if err != nil { log.Fatal(err) } - defer publicKeyEncoder.Close() + defer func(publicKeyEncoder io.WriteCloser) { + err := publicKeyEncoder.Close() + if err != nil { + panic(err) + } + }(publicKeyEncoder) err = entity.Serialize(publicKeyEncoder) if err != nil { log.Fatal(err) } - publicKeyEncoder.Close() + err = publicKeyEncoder.Close() + if err != nil { + log.Fatal(err) + } publicKeyArmor := publicKeyBuffer.String() file, err := os.OpenFile("keyring.pgp", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) @@ -129,7 +121,10 @@ var daemonCmd = &cobra.Command{ log.Fatal(err) } err = entity.SerializePrivate(file, conf) - file.Close() + err = file.Close() + if err != nil { + log.Fatal(err) + } token, _, err := forgeClient.GetGPGToken() if err != nil { @@ -146,9 +141,21 @@ var daemonCmd = &cobra.Command{ if err != nil { log.Fatal(err) } - defer signatureEncoder.Close() - signatureEncoder.Write(signatureBuffer.Bytes()) - signatureEncoder.Close() + defer func(signatureEncoder io.WriteCloser) { + err := signatureEncoder.Close() + if err != nil { + panic(err) + } + }(signatureEncoder) + + if _, err := signatureEncoder.Write(signatureBuffer.Bytes()); err != nil { + log.Fatal(err) + } + + err = signatureEncoder.Close() + if err != nil { + log.Fatal(err) + } if _, _, err := forgeClient.CreateGPGKey(forgejo.CreateGPGKeyOption{ ArmoredKey: publicKeyArmor, @@ -156,9 +163,7 @@ var daemonCmd = &cobra.Command{ }); err != nil { log.Fatal(err) } - pgpEntity = OpenPGPEntity{ - Entity: entity, - } + pgpEntity = entity } else { log.Fatal(err) } @@ -177,9 +182,7 @@ var daemonCmd = &cobra.Command{ log.Fatal("invalid keyring") } - pgpEntity = OpenPGPEntity{ - Entity: el[0], - } + pgpEntity = el[0] } appConfig := fiber.Config{ @@ -297,7 +300,7 @@ func handlePush(c *fiber.Ctx, forgeClient *forgejo.Client, event *interfaces.For return c.SendStatus(fiber.StatusOK) } -func handleIssues(c *fiber.Ctx, forgeClient *forgejo.Client, event *interfaces.ForgejoIssueEvent, entity OpenPGPEntity, user *forgejo.User) error { +func handleIssues(c *fiber.Ctx, forgeClient *forgejo.Client, event *interfaces.ForgejoIssueEvent, entity *openpgp.Entity, user *forgejo.User) error { if event.Action == "opened" && event.Issue.Title == "setup:goscan" { if _, err := forgeClient.CreateRepoActionSecret(event.Issue.Repo.Owner, event.Issue.Repo.Name, forgejo.CreateSecretOption{ Name: "goscan_token", @@ -346,7 +349,7 @@ func handleIssues(c *fiber.Ctx, forgeClient *forgejo.Client, event *interfaces.F return c.SendStatus(fiber.StatusInternalServerError) } - if err := os.MkdirAll(gitDir+"/.forgejo/workflows", 0775); err != nil { + if err := os.MkdirAll(gitDir+"/.forgejo/workflows", 0775); /* #nosec G301 */ err != nil { log.Error(err) return c.SendStatus(fiber.StatusInternalServerError) } @@ -375,7 +378,7 @@ func handleIssues(c *fiber.Ctx, forgeClient *forgejo.Client, event *interfaces.F return c.SendStatus(fiber.StatusInternalServerError) } - if err := os.WriteFile(gitDir+"/.forgejo/workflows/gosec.yml", []byte(tmplBuffer.String()), 0666); err != nil { + if err := os.WriteFile(gitDir+"/.forgejo/workflows/gosec.yml", []byte(tmplBuffer.String()), 0666); /* #nosec G306 */ err != nil { log.Error(err) return c.SendStatus(fiber.StatusInternalServerError) } @@ -392,7 +395,7 @@ func handleIssues(c *fiber.Ctx, forgeClient *forgejo.Client, event *interfaces.F } if _, err := worktree.Commit("Add GoScan action", &git.CommitOptions{ - SignKey: entity.Entity, + SignKey: entity, Author: signature, Committer: signature, }); err != nil {