Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Gosec SAST scan results #418

Open
russsaidwords opened this issue Jan 7, 2022 · 1 comment
Open

Gosec SAST scan results #418

russsaidwords opened this issue Jan 7, 2022 · 1 comment

Comments

@russsaidwords
Copy link

I am likely going to use websocketd to rewrite some projects. As part of the process, I pulled the code and ran it through the Gosec scanner. Below are the results.

Results:
[/go/src/lcf-gitlab-up.lle.rochester.edu/redwards/websocketd/libwebsocketd/http.go:13] - G504 (CWE-327): Blocklisted import net/http/cgi: Go versions < 1.6.3 are vulnerable to Httpoxy attack: (CVE-2016-5386) (Confidence: HIGH, Severity: MEDIUM)
12: "net/http"
13: "net/http/cgi"
14: "net/textproto"
[/go/src/lcf-gitlab-up.lle.rochester.edu/redwards/websocketd/libwebsocketd/websocket_endpoint.go:52] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
51: }
52: w.Close() // could need error handling
53:
[/go/src/lcf-gitlab-up.lle.rochester.edu/redwards/websocketd/libwebsocketd/process_endpoint.go:94] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
93: func (pe *ProcessEndpoint) Send(msg []byte) bool {
94: pe.process.stdin.Write(msg)
95: return true
[/go/src/lcf-gitlab-up.lle.rochester.edu/redwards/websocketd/libwebsocketd/process_endpoint.go:37] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
36: // for some processes this is enough to finish them...
37: pe.process.stdin.Close()
38:
[/go/src/lcf-gitlab-up.lle.rochester.edu/redwards/websocketd/libwebsocketd/process_endpoint.go:34] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
33: terminated := make(chan struct{})
34: go func() { pe.process.cmd.Wait(); terminated <- struct{}{} }()
35:
Summary:
Gosec : 2.9.5
Files : 15
Lines : 2063
Nosec : 0
Issues : 5

It's easy to disregard the G504 as we're not using Go < v1.6.3. The G104's are slightly harder to ignore. I didn't see a CONTRIBUTING.md file or a template for new issues, so I'm sorry if this doesn't fit how you want to receive information. My Go is slightly rusty or I would also be contributing a pull request - as it is, I'll have to read over the project a few times before I feel comfortable adding in appropriate error handling myself, so I was hoping someone more familiar could take a look, but if no one does I think I can eventually get around to it myself.

Thanks for your efforts here, this project and it's contributors are much appreciated!
@asergeyev
Copy link
Collaborator

Thanks for the report, I will get to it eventually or someone would PR before me, handling should not be too hard to add except in last case where error needs to be logged/ignored.

(The leak of forked sub processes might be possible there but it happens as last resort of waiting for process to be killed, nothing else websocket can do to at that state if OS fails to do that and properly signal back)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asergeyev @russsaidwords