diff --git a/.golangci.yml b/.golangci.yml index 19bbd49f..a943edee 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -21,6 +21,7 @@ linters: - gofmt - goimports - golint + - gosec - interfacer - maligned - misspell diff --git a/cmd/authelia-scripts/cmd_bootstrap.go b/cmd/authelia-scripts/cmd_bootstrap.go index e7bcc3c1..4aac5076 100644 --- a/cmd/authelia-scripts/cmd_bootstrap.go +++ b/cmd/authelia-scripts/cmd_bootstrap.go @@ -57,7 +57,7 @@ func runCommand(cmd string, args ...string) { func checkCommandExist(cmd string) { fmt.Print("Checking if '" + cmd + "' command is installed...") - command := exec.Command("bash", "-c", "command -v "+cmd) + command := exec.Command("bash", "-c", "command -v "+cmd) //nolint:gosec // Used only in development. err := command.Run() if err != nil { @@ -127,15 +127,24 @@ func prepareHostsFile() { modified = true } - err = ioutil.WriteFile("/tmp/authelia/hosts", []byte(strings.Join(lines, "\n")), 0644) + fd, err := ioutil.TempFile("/tmp/authelia/", "hosts") + if err != nil { + panic(err) + } + _, err = fd.Write([]byte(strings.Join(lines, "\n"))) if err != nil { panic(err) } if modified { bootstrapPrintln("/etc/hosts needs to be updated") - shell("cat /tmp/authelia/hosts | sudo tee -a /etc/hosts > /dev/null") + shell(fmt.Sprintf("cat %s | sudo tee /etc/hosts > /dev/null", fd.Name())) + } + + err = fd.Close() + if err != nil { + panic(err) } } diff --git a/cmd/authelia-suites/main.go b/cmd/authelia-suites/main.go index aad79439..66f9fac8 100644 --- a/cmd/authelia-suites/main.go +++ b/cmd/authelia-suites/main.go @@ -61,7 +61,7 @@ func main() { } func createRunningSuiteFile(suite string) error { - return ioutil.WriteFile(runningSuiteFile, []byte(suite), 0644) + return ioutil.WriteFile(runningSuiteFile, []byte(suite), 0600) } func removeRunningSuiteFile() error { diff --git a/internal/authentication/file_user_provider.go b/internal/authentication/file_user_provider.go index 180854c8..bb6d41d0 100644 --- a/internal/authentication/file_user_provider.go +++ b/internal/authentication/file_user_provider.go @@ -166,7 +166,7 @@ func (p *FileUserProvider) UpdatePassword(username string, newPassword string) e p.lock.Unlock() return err } - err = ioutil.WriteFile(p.configuration.Path, b, 0644) + err = ioutil.WriteFile(p.configuration.Path, b, 0644) //nolint:gosec // Fixed in future PR. p.lock.Unlock() return err } diff --git a/internal/storage/constants.go b/internal/storage/const.go similarity index 84% rename from internal/storage/constants.go rename to internal/storage/const.go index 5b1117fd..52e970e2 100644 --- a/internal/storage/constants.go +++ b/internal/storage/const.go @@ -3,11 +3,11 @@ package storage import "fmt" // Keep table names in lower case because some DB does not support upper case. -var preferencesTableName = "user_preferences" -var identityVerificationTokensTableName = "identity_verification_tokens" -var totpSecretsTableName = "totp_secrets" -var u2fDeviceHandlesTableName = "u2f_devices" -var authenticationLogsTableName = "authentication_logs" +const preferencesTableName = "user_preferences" +const identityVerificationTokensTableName = "identity_verification_tokens" +const totpSecretsTableName = "totp_secrets" +const u2fDeviceHandlesTableName = "u2f_devices" +const authenticationLogsTableName = "authentication_logs" // SQLCreateUserPreferencesTable common SQL query to create user_preferences table. var SQLCreateUserPreferencesTable = fmt.Sprintf(` diff --git a/internal/suites/http.go b/internal/suites/http.go index b5b8ecff..a4f07e99 100644 --- a/internal/suites/http.go +++ b/internal/suites/http.go @@ -9,7 +9,7 @@ import ( func NewHTTPClient() *http.Client { tr := &http.Transport{ TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, + InsecureSkipVerify: true, //nolint:gosec // Needs to be enabled in suites. Not used in production. }, } return &http.Client{ diff --git a/internal/suites/scenario_backend_protection_test.go b/internal/suites/scenario_backend_protection_test.go index d3ddd1ac..197cedd8 100644 --- a/internal/suites/scenario_backend_protection_test.go +++ b/internal/suites/scenario_backend_protection_test.go @@ -25,7 +25,7 @@ func (s *BackendProtectionScenario) AssertRequestStatusCode(method, url string, s.Assert().NoError(err) tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec // Needs to be enabled in suites. Not used in production. } client := &http.Client{ Transport: tr,