Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix linting errors and improve security #407

Merged
merged 14 commits into from
Jan 8, 2025
Merged

Fix linting errors and improve security #407

merged 14 commits into from
Jan 8, 2025

Conversation

pandatix
Copy link
Member

@pandatix pandatix commented Jan 6, 2025

This PR solves the go-lint action failure.

It introduces multiple fixes:

  • typos
  • too long lines (>120 columns) split on multiple ones
  • context.Context passed as 1st argument
  • Id replaced by ID
  • security practices on unzip (vulnerable to zip bombs and zip slips) and potential slowloris attack on the HTTP server (gRPC gateway). It should not be considered critical as the chall-manager is supposed to not be exposed to external users, and access control over the API restrain attacks to ChallMakers and Admins, thus not likely malicious
  • for chall-manager-cli challenge create --dir ... it now copies the file mode perm in order for the scenario unzip in chall-manager to avoid putting 0777 by default
  • gosec config to silence warnings on md5 usage (not for crypto)

Note

We decided to no publish CVEs as part of the public beta due to the lack of adoption and the overhead of work to publish those. Future work (even through the beta) will release CVEs if necessary.

In the end, the CI now passes ! 🎉

@pandatix pandatix added security When there are security related info go Pull requests that update Go code chall-manager Related to chall-manager labels Jan 6, 2025
@pandatix pandatix requested a review from NicoFgrx January 6, 2025 15:04
@coveralls
Copy link

coveralls commented Jan 6, 2025
edited
Loading

Pull Request Test Coverage Report for Build 12666321369

Details

  • 0 of 422 (0.0%) changed or added relevant lines in 30 files are covered.
  • 462 unchanged lines in 9 files lost coverage.
  • Overall coverage remained the same at 0.0%
Changes Missing Coverage Covered Lines Changed/Added Lines %
api/v1/challenge/create.go 0 1 0.0%
api/v1/challenge/delete.go 0 1 0.0%
api/v1/challenge/query.go 0 1 0.0%
api/v1/instance/query.go 0 1 0.0%
pkg/errors/internal.go 0 1 0.0%
api/v1/challenge/retrieve.go 0 2 0.0%
api/v1/challenge/update.go 0 2 0.0%
api/v1/instance/delete.go 0 2 0.0%
api/v1/instance/renew.go 0 2 0.0%
api/v1/instance/retrieve.go 0 2 0.0%
Files with Coverage Reduction New Missed Lines %
pkg/fs/instance.go 1 0.0%
cmd/chall-manager-cli/main.go 1 0.0%
api/v1/common/locks.go 2 0.0%
api/v1/challenge/challenge_grpc.pb.go 29 0.0%
api/v1/instance/instance_grpc.pb.go 29 0.0%
api/v1/challenge/challenge.pb.gw.go 86 0.0%
api/v1/challenge/challenge.pb.go 100 0.0%
api/v1/instance/instance.pb.gw.go 101 0.0%
api/v1/instance/instance.pb.go 113 0.0%
Totals Coverage Status
Change from base Build 12553575317: 0.0%
Covered Lines: 0
Relevant Lines: 4702
💛 - Coveralls

NicoFgrx
NicoFgrx reviewed Jan 8, 2025
View reviewed changes
pkg/scenario/decompressor.go Outdated Show resolved Hide resolved
pkg/scenario/io.go Show resolved Hide resolved
@pandatix pandatix requested a review from NicoFgrx January 8, 2025 07:51
NicoFgrx
NicoFgrx previously approved these changes Jan 8, 2025
View reviewed changes
Copy link
Member

@NicoFgrx NicoFgrx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pandatix pandatix dismissed NicoFgrx’s stale review January 8, 2025 07:55

The merge-base changed after approval.

NicoFgrx
NicoFgrx approved these changes Jan 8, 2025
View reviewed changes
Copy link
Member

@NicoFgrx NicoFgrx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pandatix pandatix merged commit e391620 into main Jan 8, 2025
6 checks passed
@pandatix pandatix deleted the fix/lint branch January 8, 2025 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NicoFgrx NicoFgrx NicoFgrx approved these changes

Assignees
No one assigned
Labels
chall-manager Related to chall-manager go Pull requests that update Go code security When there are security related info
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pandatix @coveralls @NicoFgrx