From 1c2efe75c8c7f26004e5a0a97445c4f480d76384 Mon Sep 17 00:00:00 2001
From: Aneesh Puttur <aputtur@redhat.com>
Date: Fri, 8 Nov 2024 09:12:49 -0500
Subject: [PATCH] Enabled gosec and fixed security issue

Signed-off-by: Aneesh Puttur <aputtur@redhat.com>
---
 .golangci.yaml                                | 10 ++++++++--
 Makefile                                      |  2 +-
 cmd/main.go                                   | 13 ++++++++++---
 pkg/storage/kubernetes/client.go              | 13 ++++++-------
 plugins/ptp_operator/config/config.go         |  6 ++++++
 plugins/ptp_operator/config/config_test.go    |  4 ++--
 plugins/ptp_operator/ptp4lconf/ptp4lConfig.go |  6 ++++++
 7 files changed, 39 insertions(+), 15 deletions(-)

diff --git a/.golangci.yaml b/.golangci.yaml
index f8e90172..53e82b67 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -33,7 +33,6 @@ linters-settings:
         # Whether to be strict about shadowing; can be noisy.
         # Default: false
         strict: true
-
   gocyclo:
     # minimal code complexity to report, 30 by default (but we recommend 10-20)
     min-complexity: 50
@@ -48,7 +47,14 @@ linters-settings:
       - const
       - var
       - func
-
+  revive:
+    rules:
+      - name: dot-imports
+        arguments:
+          - allowedPackages:
+              - "github.com/onsi/ginkgo"
+              - "github.com/onsi/ginkgo/v2"
+              - "github.com/onsi/gomega"
 linters:
   disable-all: true
   enable: # NOTE: please keep this list alphabetically sorted
diff --git a/Makefile b/Makefile
index 4f0e9ea8..92ab2051 100644
--- a/Makefile
+++ b/Makefile
@@ -67,7 +67,7 @@ build-examples:
 	go build -o ./build/cloud-event-consumer ./examples/consumer/main.go
 
 lint:
-	golangci-lint run
+	golangci-lint --enable gosec run
 
 build-plugins:
 	go build -a -o plugins/ptp_operator_plugin.so -buildmode=plugin plugins/ptp_operator/ptp_operator_plugin.go
diff --git a/cmd/main.go b/cmd/main.go
index 53da86ef..a248f9e9 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -214,7 +214,12 @@ func metricServer(address string) {
 	mux.Handle("/metrics", promhttp.Handler())
 
 	go wait.Until(func() {
-		err := http.ListenAndServe(address, mux)
+		server := &http.Server{
+			Addr:              address,
+			ReadHeaderTimeout: 5 * time.Second,
+			Handler:           mux,
+		}
+		err := server.ListenAndServe()
 		if err != nil {
 			log.Errorf("error with metrics server %s\n, will retry to establish", err.Error())
 		}
@@ -235,8 +240,10 @@ func ProcessOutChannel(wg *sync.WaitGroup, scConfig *common.SCConfiguration) {
 			if pub.EndPointURI != nil {
 				log.Debugf("posting acknowledgment with status: %s to publisher: %s", status, pub.EndPointURI)
 				restClient := restclient.New()
-				restClient.Post(pub.EndPointURI,
-					[]byte(fmt.Sprintf(`{eventId:"%s",status:"%s"}`, pub.ID, status)))
+				if _, err := restClient.Post(pub.EndPointURI,
+					[]byte(fmt.Sprintf(`{eventId:"%s",status:"%s"}`, pub.ID, status))); err != nil {
+					log.Errorf("error posting acknowledgment at %s : %s", pub.EndPointURI, err)
+				}
 			}
 		}
 	}
diff --git a/pkg/storage/kubernetes/client.go b/pkg/storage/kubernetes/client.go
index e4f8ea58..fe292e64 100644
--- a/pkg/storage/kubernetes/client.go
+++ b/pkg/storage/kubernetes/client.go
@@ -124,21 +124,20 @@ func (sClient *Client) UpdateConfigMap(ctx context.Context, data []subscriber.Su
 		existingData = make(map[string]string)
 	}
 
-	for _, d := range data {
-		if d.Action == channel.DELETE {
-			delete(existingData, d.ClientID.String())
+	for i := 0; i < len(data); i++ {
+		if data[i].Action == channel.DELETE {
+			delete(existingData, data[i].ClientID.String())
 		} else {
 			// Marshal back to json (as original)
 			var out []byte
 			var e error
-			if out, e = json.MarshalIndent(&d, "", " "); e != nil {
+			if out, e = json.MarshalIndent(&data[i], "", " "); e != nil {
 				log.Errorf("error marshalling subscriber %s", e.Error())
 				continue
 			}
 			log.Infof("persisting following contents %s ", string(out))
-
 			log.Infof("updating new subscriber in configmap")
-			existingData[d.ClientID.String()] = string(out)
+			existingData[data[i].ClientID.String()] = string(out)
 		}
 	}
 
@@ -166,7 +165,7 @@ func (sClient *Client) InitConfigMap(apiVersion, storePath, nodeName, namespace
 				if subscriberErr == nil {
 					filePath := fmt.Sprintf("%s/%s", storePath, fmt.Sprintf("%s.json", clientID))
 					log.Infof("persisting following contents %s to a file %s\n", string(newSubscriberBytes), filePath)
-					if subscriberErr = os.WriteFile(filePath, newSubscriberBytes, 0666); subscriberErr != nil {
+					if subscriberErr = os.WriteFile(filePath, newSubscriberBytes, 0600); subscriberErr != nil {
 						log.Errorf("error writing subscription to a file %s", subscriberErr.Error())
 					}
 				} else {
diff --git a/plugins/ptp_operator/config/config.go b/plugins/ptp_operator/config/config.go
index 5b92a4a9..f1e1eae9 100644
--- a/plugins/ptp_operator/config/config.go
+++ b/plugins/ptp_operator/config/config.go
@@ -22,6 +22,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"strings"
 	"sync"
 	"time"
 
@@ -417,6 +418,11 @@ func (l *LinuxPTPConfigMapUpdate) updatePtpConfig(nodeName string) (updated bool
 		log.Errorf("error finding node profile %v: %v", nodeName, err)
 		return
 	}
+	nodeProfile = filepath.Clean(nodeProfile)
+	if !strings.HasPrefix(nodeProfile, l.profilePath) {
+		log.Errorf("reading nodeProfile %s from unknon path ", nodeProfile)
+		return
+	}
 	nodeProfilesJSON, err := os.ReadFile(nodeProfile)
 	if err != nil {
 		log.Errorf("error reading node profile: %v", nodeProfile)
diff --git a/plugins/ptp_operator/config/config_test.go b/plugins/ptp_operator/config/config_test.go
index a9fbdb95..09b94d74 100644
--- a/plugins/ptp_operator/config/config_test.go
+++ b/plugins/ptp_operator/config/config_test.go
@@ -125,8 +125,8 @@ func Test_Config(t *testing.T) {
 	}
 
 	closeCh := make(chan struct{})
-	os.Setenv("PTP_PROFILE_PATH", "../_testprofile")
-	os.Setenv("CONFIG_UPDATE_INTERVAL", "1")
+	_ = os.Setenv("PTP_PROFILE_PATH", "../_testprofile")
+	_ = os.Setenv("CONFIG_UPDATE_INTERVAL", "1")
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			ptpUpdate := ptpConfig.NewLinuxPTPConfUpdate()
diff --git a/plugins/ptp_operator/ptp4lconf/ptp4lConfig.go b/plugins/ptp_operator/ptp4lconf/ptp4lConfig.go
index bdc82fd6..7c381b81 100644
--- a/plugins/ptp_operator/ptp4lconf/ptp4lConfig.go
+++ b/plugins/ptp_operator/ptp4lconf/ptp4lConfig.go
@@ -37,6 +37,7 @@ var (
 
 const (
 	ptp4lGlobalSection = "global"
+	ptpConfigDir       = "/var/run/"
 )
 
 // PtpConfigUpdate ...  updated ptp config values
@@ -243,6 +244,11 @@ func readAllConfig(dir string) []*PtpConfigUpdate {
 }
 func readConfig(path string) (*PtpConfigUpdate, error) {
 	fName := filename(path)
+	path = filepath.Clean(path)
+	if !strings.HasPrefix(path, ptpConfigDir) {
+		log.Errorf("reading ptpconfig %s from unknon path ", path)
+		return nil, fmt.Errorf("reading ptpconfig %s from unknon path ", path)
+	}
 	b, err := os.ReadFile(path)
 	if err != nil {
 		log.Errorf("error reading ptpconfig %s error %s", path, err)