[CI] Enable gosec linter (#979)

* fix tee append
* convert DB table names from var to const
* fixed file modes
* ignored gosec where relevant and safe

.golangci.yml

@@ -21,6 +21,7 @@ linters:
     - gofmt
     - goimports
     - golint
+    - gosec
     - interfacer
     - maligned
     - misspell

cmd/authelia-scripts/cmd_bootstrap.go

@@ -57,7 +57,7 @@ func runCommand(cmd string, args ...string) {
 
 func checkCommandExist(cmd string) {
 	fmt.Print("Checking if '" + cmd + "' command is installed...")
-	command := exec.Command("bash", "-c", "command -v "+cmd)
+	command := exec.Command("bash", "-c", "command -v "+cmd) //nolint:gosec // Used only in development.
 	err := command.Run()
 
 	if err != nil {
@@ -127,15 +127,24 @@ func prepareHostsFile() {
 		modified = true
 	}
 
-	err = ioutil.WriteFile("/tmp/authelia/hosts", []byte(strings.Join(lines, "\n")), 0644)
+	fd, err := ioutil.TempFile("/tmp/authelia/", "hosts")
+	if err != nil {
+		panic(err)
+	}
 
+	_, err = fd.Write([]byte(strings.Join(lines, "\n")))
 	if err != nil {
 		panic(err)
 	}
 
 	if modified {
 		bootstrapPrintln("/etc/hosts needs to be updated")
-		shell("cat /tmp/authelia/hosts | sudo tee -a /etc/hosts > /dev/null")
+		shell(fmt.Sprintf("cat %s | sudo tee /etc/hosts > /dev/null", fd.Name()))
+	}
+
+	err = fd.Close()
+	if err != nil {
+		panic(err)
 	}
 }
 

cmd/authelia-suites/main.go

@@ -61,7 +61,7 @@ func main() {
 }
 
 func createRunningSuiteFile(suite string) error {
-	return ioutil.WriteFile(runningSuiteFile, []byte(suite), 0644)
+	return ioutil.WriteFile(runningSuiteFile, []byte(suite), 0600)
 }
 
 func removeRunningSuiteFile() error {

internal/authentication/file_user_provider.go

@@ -166,7 +166,7 @@ func (p *FileUserProvider) UpdatePassword(username string, newPassword string) e
 		p.lock.Unlock()
 		return err
 	}
-	err = ioutil.WriteFile(p.configuration.Path, b, 0644)
+	err = ioutil.WriteFile(p.configuration.Path, b, 0644) //nolint:gosec // Fixed in future PR.
 	p.lock.Unlock()
 	return err
 }

internal/storage/const.go

@@ -3,11 +3,11 @@ package storage
 import "fmt"
 
 // Keep table names in lower case because some DB does not support upper case.
-var preferencesTableName = "user_preferences"
-var identityVerificationTokensTableName = "identity_verification_tokens"
-var totpSecretsTableName = "totp_secrets"
-var u2fDeviceHandlesTableName = "u2f_devices"
-var authenticationLogsTableName = "authentication_logs"
+const preferencesTableName = "user_preferences"
+const identityVerificationTokensTableName = "identity_verification_tokens"
+const totpSecretsTableName = "totp_secrets"
+const u2fDeviceHandlesTableName = "u2f_devices"
+const authenticationLogsTableName = "authentication_logs"
 
 // SQLCreateUserPreferencesTable common SQL query to create user_preferences table.
 var SQLCreateUserPreferencesTable = fmt.Sprintf(`

internal/suites/http.go

@@ -9,7 +9,7 @@ import (
 func NewHTTPClient() *http.Client {
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: true, //nolint:gosec // Needs to be enabled in suites. Not used in production.
 		},
 	}
 	return &http.Client{

internal/suites/scenario_backend_protection_test.go

@@ -25,7 +25,7 @@ func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string,
 		s.Assert().NoError(err)
 
 		tr := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // Needs to be enabled in suites. Not used in production.
 		}
 		client := &http.Client{
 			Transport: tr,