fix gosec errors

Signed-off-by: Kim Tsao <[email protected]>

Author: kim-tsao

index/generator/library/library.go

@@ -91,6 +91,7 @@ func CreateIndexFile(index []schema.Schema, indexFilePath string) error {
 		return fmt.Errorf("failed to marshal %s data: %v", indexFilePath, err)
 	}
 
+	/* #nosec G306 -- index file does not contain any sensitive data*/
 	err = ioutil.WriteFile(indexFilePath, bytes, 0644)
 	if err != nil {
 		return fmt.Errorf("failed to write %s: %v", indexFilePath, err)
@@ -312,6 +313,7 @@ func parseStackDevfile(devfileDirPath string, stackName string, force bool, vers
 		}
 	}
 
+	/* #nosec G304 -- devfilePath is produced using filepath.Join which cleans the input path */
 	bytes, err := ioutil.ReadFile(devfilePath)
 	if err != nil {
 		return fmt.Errorf("failed to read %s: %v", devfilePath, err)
@@ -403,6 +405,7 @@ func parseStackDevfile(devfileDirPath string, stackName string, force bool, vers
 func parseExtraDevfileEntries(registryDirPath string, force bool) ([]schema.Schema, error) {
 	var index []schema.Schema
 	extraDevfileEntriesPath := path.Join(registryDirPath, extraDevfileEntries)
+	/* #nosec G304 -- extraDevfileEntriesPath is produced using path.Join which cleans the input path */
 	bytes, err := ioutil.ReadFile(extraDevfileEntriesPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read %s: %v", extraDevfileEntriesPath, err)
@@ -487,6 +490,7 @@ func parseExtraDevfileEntries(registryDirPath string, force bool) ([]schema.Sche
 	return index, nil
 }
 
+/* #nosec G304 -- stackYamlPath is produced from file.Join which cleans the input path */
 func parseStackInfo(stackYamlPath string) (schema.Schema, error) {
 	var index schema.Schema
 	bytes, err := ioutil.ReadFile(stackYamlPath)

index/generator/library/util.go

@@ -123,25 +123,27 @@ func CloneRemoteStack(git *schema.Git, path string, verbose bool) (err error) {
 // returns byte array of zip file and error if occurs otherwise is nil. If git.SubDir is set, then
 // zip file will contain contents of the specified subdirectory instead of the whole downloaded git repo.
 func DownloadStackFromGit(git *schema.Git, path string, verbose bool) ([]byte, error) {
-	zipPath := fmt.Sprintf("%s.zip", path)
+	cleanPath := filepath.Clean(path)
+	zipPath := fmt.Sprintf("%s.zip", cleanPath)
 
 	// Download from given git url. Downloaded result contains subDir
 	// when specified, if error return empty bytes.
-	if err := CloneRemoteStack(git, path, verbose); err != nil {
+	if err := CloneRemoteStack(git, cleanPath, verbose); err != nil {
 		return []byte{}, err
 	}
 
 	// Throw error if path was not created
-	if _, err := os.Stat(path); os.IsNotExist(err) {
+	if _, err := os.Stat(cleanPath); os.IsNotExist(err) {
 		return []byte{}, err
 	}
 
 	// Zip directory containing downloaded git repo
-	if err := ZipDir(path, zipPath); err != nil {
+	if err := ZipDir(cleanPath, zipPath); err != nil {
 		return []byte{}, err
 	}
 
 	// Read bytes from response and return, error will be nil if successful
+	/* #nosec G304 -- zipPath is constructed from a clean path */
 	return ioutil.ReadFile(zipPath)
 }
 
@@ -152,7 +154,7 @@ func DownloadStackFromZipUrl(zipUrl string, subDir string, path string) ([]byte,
 
 // downloadStackFromZipUrl downloads the zip file containing the stack at a given url
 func downloadStackFromZipUrl(zipUrl string, subDir string, path string, fs filesystem.Filesystem) ([]byte, error) {
-	zipDst := fmt.Sprintf("%s.zip", path)
+	zipDst := fmt.Sprintf("%s.zip", filepath.Clean(path))
 
 	// Create path if does not exist
 	if err := fs.MkdirAll(path, os.ModePerm); err != nil {
@@ -192,6 +194,7 @@ func downloadStackFromZipUrl(zipUrl string, subDir string, path string, fs files
 	}
 
 	// Read bytes from response and return, error will be nil if successful
+	/* #nosec G304 -- zipDest is produced using a cleaned path */
 	return ioutil.ReadFile(zipDst)
 }
 

index/server/pkg/server/endpoint.go

@@ -25,6 +25,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"path/filepath"
 	"regexp"
 
 	"github.com/devfile/api/v2/pkg/apis/workspaces/v1alpha2"
@@ -275,7 +276,7 @@ func serveDevfileStarterProjectWithVersion(c *gin.Context) {
 					localLoc = downloadFilePath
 				}
 
-				downloadBytes, err = ioutil.ReadFile(localLoc)
+				downloadBytes, err = ioutil.ReadFile(filepath.Clean(localLoc))
 				if err != nil {
 					log.Print(err.Error())
 					c.JSON(http.StatusInternalServerError, gin.H{
@@ -556,6 +557,7 @@ func fetchDevfile(c *gin.Context, name string, version string) ([]byte, indexSch
 			}
 			if sampleDevfilePath != "" {
 				if _, err = os.Stat(sampleDevfilePath); err == nil {
+					/* #nosec G304 -- sampleDevfilePath is constructed from path.Join which cleans the input paths */
 					bytes, err = ioutil.ReadFile(sampleDevfilePath)
 				}
 				if err != nil {

index/server/pkg/server/registry.go

@@ -69,6 +69,7 @@ func pushStackToRegistry(versionComponent indexSchema.Version, stackName string)
 		if _, err := os.Stat(resourcePath); os.IsNotExist(err) {
 			resourcePath = filepath.Join(stacksPath, stackName, resource)
 		}
+		/* #nosec G304 -- resourcePath is constructed from filepath.Join which cleans the input paths */
 		resourceContent, err := ioutil.ReadFile(resourcePath)
 		if err != nil {
 			return err

index/server/pkg/util/util.go

@@ -45,6 +45,7 @@ func IsHtmlRequested(acceptHeader []string) bool {
 // EncodeIndexIconToBase64 encodes all index icons to base64 format given the index file path
 func EncodeIndexIconToBase64(indexPath string, base64IndexPath string) ([]byte, error) {
 	// load index
+	/* #nosec G304 -- indexPath is derived from known paths set in the docker image */
 	bytes, err := ioutil.ReadFile(indexPath)
 	if err != nil {
 		return nil, err
@@ -86,6 +87,7 @@ func encodeToBase64(uri string) (string, error) {
 	// load the content from the given uri
 	var bytes []byte
 	if url.Scheme == "http" || url.Scheme == "https" {
+		/* #nosec G107 -- uri is taken from the index file.  Stacks with URLs to a devile icon should be vetted beforehand */
 		resp, err := http.Get(uri)
 		if err != nil {
 			return "", err
@@ -97,6 +99,7 @@ func encodeToBase64(uri string) (string, error) {
 			return "", err
 		}
 	} else {
+		/* #nosec G304 -- uri is derived from known paths set in the docker image */
 		bytes, err = ioutil.ReadFile(uri)
 		if err != nil {
 			return "", err
@@ -121,6 +124,7 @@ func encodeToBase64(uri string) (string, error) {
 // ReadIndexPath reads the index from the path and unmarshalls it into the index
 func ReadIndexPath(indexPath string) ([]indexSchema.Schema, error) {
 	// load index
+	/* #nosec G304 -- not user input */
 	bytes, err := ioutil.ReadFile(indexPath)
 	if err != nil {
 		return nil, err

registry-library/go.mod

@@ -5,6 +5,7 @@ go 1.14
 require (
 	github.com/containerd/containerd v1.5.9
 	github.com/devfile/registry-support/index/generator v0.0.0-20220624203950-e7282a4695b6
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-version v1.4.0
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/spf13/cobra v1.2.1

registry-library/go.sum

@@ -511,13 +511,15 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFb
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/errwrap v0.0.0-20141028054710-7554cd9344ce/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80=
 github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60=
 github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM=
 github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:JMRHfdO9jKNzS/+BTlxCjKNQHg/jZAft8U7LloJvN7I=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU=
 github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU=

registry-library/library/library.go

@@ -19,6 +19,7 @@ import (
 	"archive/zip"
 	"encoding/json"
 	"fmt"
+	"github.com/hashicorp/go-multierror"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -314,11 +315,12 @@ func DownloadStarterProjectAsDir(path string, registryURL string, stack string,
 	defer archive.Close()
 
 	// Extract files from starter project archive to specified directory path
+	cleanPath := filepath.Clean(path)
 	for _, file := range archive.File {
-		filePath := filepath.Join(path, file.Name)
+		filePath := filepath.Join(cleanPath, filepath.Clean(file.Name))
 
 		// validate extracted filepath
-		if filePath != file.Name && !strings.HasPrefix(filePath, filepath.Clean(path)+string(os.PathSeparator)) {
+		if filePath != file.Name && !strings.HasPrefix(filePath, cleanPath+string(os.PathSeparator)) {
 			return fmt.Errorf("invalid file path %s", filePath)
 		}
 
@@ -334,6 +336,7 @@ func DownloadStarterProjectAsDir(path string, registryURL string, stack string,
 		}
 
 		// open destination file
+		/* #nosec G304 -- filePath is produced using path.Join which cleans the dir path */
 		dstFile, err := os.OpenFile(filePath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
 		if err != nil {
 			return fmt.Errorf("error opening destination file at %s: %v", filePath, err)
@@ -346,12 +349,19 @@ func DownloadStarterProjectAsDir(path string, registryURL string, stack string,
 		}
 
 		// extract source file to destination file
+		/* #nosec G110 -- starter projects are vetted before they are added to a registry.  Their contents can be seen before they are downloaded */
 		if _, err = io.Copy(dstFile, srcFile); err != nil {
 			return fmt.Errorf("error extracting file %s from archive %s to destination at %s: %v", file.Name, archivePath, filePath, err)
 		}
 
-		dstFile.Close()
-		srcFile.Close()
+		err = dstFile.Close()
+		if err != nil {
+			return err
+		}
+		err = srcFile.Close()
+		if err != nil {
+			return err
+		}
 	}
 
 	return nil
@@ -360,37 +370,45 @@ func DownloadStarterProjectAsDir(path string, registryURL string, stack string,
 // DownloadStarterProject downloads a specified starter project archive to a given path
 func DownloadStarterProject(path string, registryURL string, stack string, starterProject string, options RegistryOptions) error {
 	var fileStream *os.File
+	var returnedErr error
 
+	cleanPath := filepath.Clean(path)
 	// Download Starter Project archive bytes
 	bytes, err := DownloadStarterProjectAsBytes(registryURL, stack, starterProject, options)
 	if err != nil {
 		return err
 	}
 
 	// Error if parent directory does not exist
-	if _, err = os.Stat(filepath.Dir(path)); os.IsNotExist(err) {
+	if _, err = os.Stat(filepath.Dir(cleanPath)); os.IsNotExist(err) {
 		return fmt.Errorf("parent directory '%s' does not exist: %v", filepath.Dir(path), err)
 	}
 
 	// If file does not exist, create a new one
 	// Else open existing for overwriting
 	if _, err = os.Stat(path); os.IsNotExist(err) {
-		fileStream, err = os.Create(path)
+		fileStream, err = os.Create(cleanPath)
 		if err != nil {
 			return fmt.Errorf("failed to create file '%s': %v", path, err)
 		}
 	} else {
-		fileStream, err = os.OpenFile(path, os.O_WRONLY|os.O_TRUNC, os.ModePerm)
+		fileStream, err = os.OpenFile(cleanPath, os.O_WRONLY|os.O_TRUNC, os.ModePerm)
 		if err != nil {
 			return fmt.Errorf("failed to open file '%s': %v", path, err)
 		}
 	}
-	defer fileStream.Close()
+
+	defer func() {
+		if err = fileStream.Close(); err != nil {
+			returnedErr = multierror.Append(returnedErr, err)
+		}
+	}()
 
 	// Write downloaded bytes to file
 	_, err = fileStream.Write(bytes)
 	if err != nil {
-		return fmt.Errorf("failed writing to '%s': %v", path, err)
+		returnedErr = multierror.Append(returnedErr, fmt.Errorf("failed writing to '%s': %v", path, err))
+		return returnedErr
 	}
 
 	return nil

registry-library/library/util.go

@@ -20,6 +20,7 @@ import (
 	"compress/gzip"
 	"crypto/tls"
 	"fmt"
+	"github.com/hashicorp/go-multierror"
 	"io"
 	"log"
 	"net/http"
@@ -73,47 +74,70 @@ func ValidateStackVersionTag(stackWithVersion string) (bool, error) {
 
 // decompress extracts the archive file
 func decompress(targetDir string, tarFile string, excludeFiles []string) error {
-	reader, err := os.Open(tarFile)
+	var returnedErr error
+
+	reader, err := os.Open(filepath.Clean(tarFile))
 	if err != nil {
 		return err
 	}
-	defer reader.Close()
+
+	defer func() {
+		if err = reader.Close(); err != nil {
+			returnedErr = multierror.Append(returnedErr, err)
+		}
+	}()
 
 	gzReader, err := gzip.NewReader(reader)
 	if err != nil {
-		return err
+		returnedErr = multierror.Append(returnedErr, err)
+		return returnedErr
 	}
-	defer gzReader.Close()
+
+	defer func() {
+		if err = gzReader.Close(); err != nil {
+			returnedErr = multierror.Append(returnedErr, err)
+		}
+	}()
 
 	tarReader := tar.NewReader(gzReader)
 	for {
 		header, err := tarReader.Next()
 		if err == io.EOF {
 			break
 		} else if err != nil {
-			return err
+			returnedErr = multierror.Append(returnedErr, err)
+			return returnedErr
 		}
 		if isExcluded(header.Name, excludeFiles) {
 			continue
 		}
 
-		target := path.Join(targetDir, header.Name)
+		target := path.Join(targetDir, filepath.Clean(header.Name))
 		switch header.Typeflag {
 		case tar.TypeDir:
 			err = os.MkdirAll(target, os.FileMode(header.Mode))
 			if err != nil {
-				return err
+				returnedErr = multierror.Append(returnedErr, err)
+				return returnedErr
 			}
 		case tar.TypeReg:
+			/* #nosec G304 -- target is produced using path.Join which cleans the dir path */
 			w, err := os.OpenFile(target, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
 			if err != nil {
-				return err
+				returnedErr = multierror.Append(returnedErr, err)
+				return returnedErr
 			}
+			/* #nosec G110 -- starter projects are vetted before they are added to a registry.  Their contents can be seen before they are downloaded */
 			_, err = io.Copy(w, tarReader)
 			if err != nil {
-				return err
+				returnedErr = multierror.Append(returnedErr, err)
+				return returnedErr
+			}
+			err = w.Close()
+			if err != nil {
+				returnedErr = multierror.Append(returnedErr, err)
+				return returnedErr
 			}
-			w.Close()
 		default:
 			log.Printf("Unsupported type: %v", header.Typeflag)
 		}
@@ -161,7 +185,8 @@ func getHTTPClient(options RegistryOptions) *http.Client {
 		Transport: &http.Transport{
 			Proxy:                 http.ProxyFromEnvironment,
 			ResponseHeaderTimeout: overriddenTimeout,
-			TLSClientConfig:       &tls.Config{InsecureSkipVerify: options.SkipTLSVerify},
+			/*#nosec G402 -- documented user option for dev/test, not for prod use */
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: options.SkipTLSVerify},
 		},
 		Timeout: overriddenTimeout,
 	}

registry-library/vendor/modules.txt

@@ -98,6 +98,11 @@ github.com/google/gofuzz
 github.com/google/gofuzz/bytesource
 # github.com/gorilla/mux v1.8.0
 github.com/gorilla/mux
+# github.com/hashicorp/errwrap v1.0.0
+github.com/hashicorp/errwrap
+# github.com/hashicorp/go-multierror v1.1.1
+## explicit
+github.com/hashicorp/go-multierror
 # github.com/hashicorp/go-version v1.4.0
 ## explicit
 github.com/hashicorp/go-version