mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-26 08:10:20 +00:00
cleanup: address gosec warnings
gosec warns about security problems by scanning the Go AST. Issues Reported: G101 (CWE-798): Potential hardcoded credentials (Confidence: LOW, Severity: HIGH) G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM) G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM) Signed-off-by: Yug <yuggupta27@gmail.com>
This commit is contained in:
parent
48fa43270f
commit
e73fe64a0d
11
e2e/utils.go
11
e2e/utils.go
@ -31,17 +31,18 @@ import (
|
|||||||
testutils "k8s.io/kubernetes/test/utils"
|
testutils "k8s.io/kubernetes/test/utils"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
/* #nosec:G101, values not credententials, just a reference to the location.*/
|
||||||
const (
|
const (
|
||||||
defaultNs = "default"
|
defaultNs = "default"
|
||||||
vaultSecretNs = "/secret/ceph-csi/" // nolint: gosec
|
vaultSecretNs = "/secret/ceph-csi/"
|
||||||
|
|
||||||
// rook created cephfs user
|
// rook created cephfs user
|
||||||
cephfsNodePluginSecretName = "rook-csi-cephfs-node" // nolint: gosec
|
cephfsNodePluginSecretName = "rook-csi-cephfs-node"
|
||||||
cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner" // nolint: gosec
|
cephfsProvisionerSecretName = "rook-csi-cephfs-provisioner"
|
||||||
|
|
||||||
// rook created rbd user
|
// rook created rbd user
|
||||||
rbdNodePluginSecretName = "rook-csi-rbd-node" // nolint: gosec
|
rbdNodePluginSecretName = "rook-csi-rbd-node"
|
||||||
rbdProvisionerSecretName = "rook-csi-rbd-provisioner" // nolint: gosec
|
rbdProvisionerSecretName = "rook-csi-rbd-provisioner"
|
||||||
|
|
||||||
rookTolBoxPodLabel = "app=rook-ceph-tools"
|
rookTolBoxPodLabel = "app=rook-ceph-tools"
|
||||||
rbdmountOptions = "mountOptions"
|
rbdmountOptions = "mountOptions"
|
||||||
|
@ -34,7 +34,7 @@ type volumeID string
|
|||||||
|
|
||||||
func execCommand(ctx context.Context, program string, args ...string) (stdout, stderr []byte, err error) {
|
func execCommand(ctx context.Context, program string, args ...string) (stdout, stderr []byte, err error) {
|
||||||
var (
|
var (
|
||||||
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
|
cmd = exec.Command(program, args...) // #nosec:G204, not called with user specified parameters.
|
||||||
sanitizedArgs = util.StripSecretInArgs(args)
|
sanitizedArgs = util.StripSecretInArgs(args)
|
||||||
stdoutBuf bytes.Buffer
|
stdoutBuf bytes.Buffer
|
||||||
stderrBuf bytes.Buffer
|
stderrBuf bytes.Buffer
|
||||||
|
@ -33,7 +33,7 @@ const InvalidPoolID int64 = -1
|
|||||||
// ExecCommand executes passed in program with args and returns separate stdout and stderr streams.
|
// ExecCommand executes passed in program with args and returns separate stdout and stderr streams.
|
||||||
func ExecCommand(program string, args ...string) (stdout, stderr []byte, err error) {
|
func ExecCommand(program string, args ...string) (stdout, stderr []byte, err error) {
|
||||||
var (
|
var (
|
||||||
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
|
cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
|
||||||
sanitizedArgs = StripSecretInArgs(args)
|
sanitizedArgs = StripSecretInArgs(args)
|
||||||
stdoutBuf bytes.Buffer
|
stdoutBuf bytes.Buffer
|
||||||
stderrBuf bytes.Buffer
|
stderrBuf bytes.Buffer
|
||||||
|
@ -96,7 +96,7 @@ func (cp *ConnPool) Destroy() {
|
|||||||
|
|
||||||
func (cp *ConnPool) generateUniqueKey(monitors, user, keyfile string) (string, error) {
|
func (cp *ConnPool) generateUniqueKey(monitors, user, keyfile string) (string, error) {
|
||||||
// the keyfile can be unique for operations, contents will be the same
|
// the keyfile can be unique for operations, contents will be the same
|
||||||
key, err := ioutil.ReadFile(keyfile) // nolint: gosec, #nosec
|
key, err := ioutil.ReadFile(keyfile) // #nosec:G304, file inclusion via variable.
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", fmt.Errorf("could not open keyfile %s: %w", keyfile, err)
|
return "", fmt.Errorf("could not open keyfile %s: %w", keyfile, err)
|
||||||
}
|
}
|
||||||
|
@ -46,7 +46,7 @@ func LuksStatus(mapperFile string) (stdout, stderr []byte, err error) {
|
|||||||
func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) {
|
func execCryptsetupCommand(stdin *string, args ...string) (stdout, stderr []byte, err error) {
|
||||||
var (
|
var (
|
||||||
program = "cryptsetup"
|
program = "cryptsetup"
|
||||||
cmd = exec.Command(program, args...) // nolint: gosec, #nosec
|
cmd = exec.Command(program, args...) // #nosec:G204, commands executing not vulnerable.
|
||||||
sanitizedArgs = StripSecretInArgs(args)
|
sanitizedArgs = StripSecretInArgs(args)
|
||||||
stdoutBuf bytes.Buffer
|
stdoutBuf bytes.Buffer
|
||||||
stderrBuf bytes.Buffer
|
stderrBuf bytes.Buffer
|
||||||
|
@ -53,7 +53,7 @@ func TestCSIConfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
data = ""
|
data = ""
|
||||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Test setup error %s", err)
|
t.Errorf("Test setup error %s", err)
|
||||||
}
|
}
|
||||||
@ -65,7 +65,7 @@ func TestCSIConfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
data = "[{\"clusterIDBad\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
data = "[{\"clusterIDBad\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
||||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Test setup error %s", err)
|
t.Errorf("Test setup error %s", err)
|
||||||
}
|
}
|
||||||
@ -77,7 +77,7 @@ func TestCSIConfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitorsBad\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitorsBad\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
||||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Test setup error %s", err)
|
t.Errorf("Test setup error %s", err)
|
||||||
}
|
}
|
||||||
@ -89,7 +89,7 @@ func TestCSIConfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",2,\"mon3\"]}]"
|
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",2,\"mon3\"]}]"
|
||||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Test setup error %s", err)
|
t.Errorf("Test setup error %s", err)
|
||||||
}
|
}
|
||||||
@ -101,7 +101,7 @@ func TestCSIConfig(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}]"
|
||||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Test setup error %s", err)
|
t.Errorf("Test setup error %s", err)
|
||||||
}
|
}
|
||||||
@ -120,7 +120,7 @@ func TestCSIConfig(t *testing.T) {
|
|||||||
|
|
||||||
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}," +
|
data = "[{\"clusterID\":\"" + clusterID2 + "\",\"monitors\":[\"mon1\",\"mon2\",\"mon3\"]}," +
|
||||||
"{\"clusterID\":\"" + clusterID1 + "\",\"monitors\":[\"mon4\",\"mon5\",\"mon6\"]}]"
|
"{\"clusterID\":\"" + clusterID1 + "\",\"monitors\":[\"mon4\",\"mon5\",\"mon6\"]}]"
|
||||||
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0644)
|
err = ioutil.WriteFile(basePath+"/"+csiClusters, []byte(data), 0600)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Errorf("Test setup error %s", err)
|
t.Errorf("Test setup error %s", err)
|
||||||
}
|
}
|
||||||
|
@ -41,7 +41,7 @@ const (
|
|||||||
vaultDefaultPassphrasePath = ""
|
vaultDefaultPassphrasePath = ""
|
||||||
|
|
||||||
// vault request headers
|
// vault request headers
|
||||||
vaultTokenHeader = "X-Vault-Token" // nolint: gosec, #nosec
|
vaultTokenHeader = "X-Vault-Token" // #nosec:G101, value not credential, just references token.
|
||||||
vaultNamespaceHeader = "X-Vault-Namespace"
|
vaultNamespaceHeader = "X-Vault-Namespace"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user