From c13196a86e267298edb3458d3e47918565e3d139 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Tue, 5 May 2020 17:57:30 +1000
Subject: [PATCH] [CI] Enable gosec linter (#979)

* fix tee append
* convert DB table names from var to const
* fixed file modes
* ignored gosec where relevant and safe
---
 .golangci.yml                                     |  1 +
 cmd/authelia-scripts/cmd_bootstrap.go             | 15 ++++++++++++---
 cmd/authelia-suites/main.go                       |  2 +-
 internal/authentication/file_user_provider.go     |  2 +-
 internal/storage/{constants.go => const.go}       | 10 +++++-----
 internal/suites/http.go                           |  2 +-
 .../suites/scenario_backend_protection_test.go    |  2 +-
 7 files changed, 22 insertions(+), 12 deletions(-)
 rename internal/storage/{constants.go => const.go} (84%)

diff --git a/.golangci.yml b/.golangci.yml
index 19bbd49fd..a943edee4 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -21,6 +21,7 @@ linters:
     - gofmt
     - goimports
     - golint
+    - gosec
     - interfacer
     - maligned
     - misspell
diff --git a/cmd/authelia-scripts/cmd_bootstrap.go b/cmd/authelia-scripts/cmd_bootstrap.go
index e7bcc3c1c..4aac50763 100644
--- a/cmd/authelia-scripts/cmd_bootstrap.go
+++ b/cmd/authelia-scripts/cmd_bootstrap.go
@@ -57,7 +57,7 @@ func runCommand(cmd string, args ...string) {
 
 func checkCommandExist(cmd string) {
 	fmt.Print("Checking if '" + cmd + "' command is installed...")
-	command := exec.Command("bash", "-c", "command -v "+cmd)
+	command := exec.Command("bash", "-c", "command -v "+cmd) //nolint:gosec // Used only in development.
 	err := command.Run()
 
 	if err != nil {
@@ -127,15 +127,24 @@ func prepareHostsFile() {
 		modified = true
 	}
 
-	err = ioutil.WriteFile("/tmp/authelia/hosts", []byte(strings.Join(lines, "\n")), 0644)
+	fd, err := ioutil.TempFile("/tmp/authelia/", "hosts")
+	if err != nil {
+		panic(err)
+	}
 
+	_, err = fd.Write([]byte(strings.Join(lines, "\n")))
 	if err != nil {
 		panic(err)
 	}
 
 	if modified {
 		bootstrapPrintln("/etc/hosts needs to be updated")
-		shell("cat /tmp/authelia/hosts | sudo tee -a /etc/hosts > /dev/null")
+		shell(fmt.Sprintf("cat %s | sudo tee /etc/hosts > /dev/null", fd.Name()))
+	}
+
+	err = fd.Close()
+	if err != nil {
+		panic(err)
 	}
 }
 
diff --git a/cmd/authelia-suites/main.go b/cmd/authelia-suites/main.go
index aad794391..66f9fac8b 100644
--- a/cmd/authelia-suites/main.go
+++ b/cmd/authelia-suites/main.go
@@ -61,7 +61,7 @@ func main() {
 }
 
 func createRunningSuiteFile(suite string) error {
-	return ioutil.WriteFile(runningSuiteFile, []byte(suite), 0644)
+	return ioutil.WriteFile(runningSuiteFile, []byte(suite), 0600)
 }
 
 func removeRunningSuiteFile() error {
diff --git a/internal/authentication/file_user_provider.go b/internal/authentication/file_user_provider.go
index 180854c82..bb6d41d0b 100644
--- a/internal/authentication/file_user_provider.go
+++ b/internal/authentication/file_user_provider.go
@@ -166,7 +166,7 @@ func (p *FileUserProvider) UpdatePassword(username string, newPassword string) e
 		p.lock.Unlock()
 		return err
 	}
-	err = ioutil.WriteFile(p.configuration.Path, b, 0644)
+	err = ioutil.WriteFile(p.configuration.Path, b, 0644) //nolint:gosec // Fixed in future PR.
 	p.lock.Unlock()
 	return err
 }
diff --git a/internal/storage/constants.go b/internal/storage/const.go
similarity index 84%
rename from internal/storage/constants.go
rename to internal/storage/const.go
index 5b1117fd8..52e970e2c 100644
--- a/internal/storage/constants.go
+++ b/internal/storage/const.go
@@ -3,11 +3,11 @@ package storage
 import "fmt"
 
 // Keep table names in lower case because some DB does not support upper case.
-var preferencesTableName = "user_preferences"
-var identityVerificationTokensTableName = "identity_verification_tokens"
-var totpSecretsTableName = "totp_secrets"
-var u2fDeviceHandlesTableName = "u2f_devices"
-var authenticationLogsTableName = "authentication_logs"
+const preferencesTableName = "user_preferences"
+const identityVerificationTokensTableName = "identity_verification_tokens"
+const totpSecretsTableName = "totp_secrets"
+const u2fDeviceHandlesTableName = "u2f_devices"
+const authenticationLogsTableName = "authentication_logs"
 
 // SQLCreateUserPreferencesTable common SQL query to create user_preferences table.
 var SQLCreateUserPreferencesTable = fmt.Sprintf(`
diff --git a/internal/suites/http.go b/internal/suites/http.go
index b5b8ecff0..a4f07e99f 100644
--- a/internal/suites/http.go
+++ b/internal/suites/http.go
@@ -9,7 +9,7 @@ import (
 func NewHTTPClient() *http.Client {
 	tr := &http.Transport{
 		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: true, //nolint:gosec // Needs to be enabled in suites. Not used in production.
 		},
 	}
 	return &http.Client{
diff --git a/internal/suites/scenario_backend_protection_test.go b/internal/suites/scenario_backend_protection_test.go
index d3ddd1ac0..197cedd86 100644
--- a/internal/suites/scenario_backend_protection_test.go
+++ b/internal/suites/scenario_backend_protection_test.go
@@ -25,7 +25,7 @@ func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string,
 		s.Assert().NoError(err)
 
 		tr := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // Needs to be enabled in suites. Not used in production.
 		}
 		client := &http.Client{
 			Transport: tr,