From 319a76d8d167a177f6f5e9c4404aa45dc7b1667a Mon Sep 17 00:00:00 2001 From: akshya96 <87045294+akshya96@users.noreply.github.com> Date: Fri, 14 Jan 2022 15:35:27 -0800 Subject: [PATCH] Vault-3991 Code Scanning Alerts Changes (#13667) * code scanning alerts changes * adding changelog --- changelog/13667.txt | 3 +++ command/base_flags.go | 16 +++++++++++----- sdk/helper/certutil/helpers.go | 23 ++++++++++++----------- sdk/logical/translate_response.go | 4 ++-- vault/auth.go | 2 +- vault/barrier_aes_gcm.go | 8 ++++++-- vault/identity_store_oidc.go | 2 +- vault/mount.go | 2 +- 8 files changed, 37 insertions(+), 23 deletions(-) create mode 100644 changelog/13667.txt diff --git a/changelog/13667.txt b/changelog/13667.txt new file mode 100644 index 000000000..5c0c2b8d3 --- /dev/null +++ b/changelog/13667.txt @@ -0,0 +1,3 @@ +```release-note:improvement +core: Fixes code scanning alerts +``` \ No newline at end of file diff --git a/command/base_flags.go b/command/base_flags.go index fca0eed34..72a96fa25 100644 --- a/command/base_flags.go +++ b/command/base_flags.go @@ -4,6 +4,7 @@ import ( "errors" "flag" "fmt" + "math" "os" "sort" "strconv" @@ -246,9 +247,11 @@ func (i *intValue) Set(s string) error { if err != nil { return err } - - *i.target = int(v) - return nil + if v >= math.MinInt && v <= math.MaxInt { + *i.target = int(v) + return nil + } + return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for int32", v) } func (i *intValue) Get() interface{} { return int(*i.target) } @@ -374,9 +377,12 @@ func (i *uintValue) Set(s string) error { if err != nil { return err } + if v > 0 && v <= math.MaxUint { + *i.target = uint(v) + return nil + } - *i.target = uint(v) - return nil + return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for uint32", v) } func (i *uintValue) Get() interface{} { return uint(*i.target) } diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go index f7bd782a2..6b28110bf 100644 --- a/sdk/helper/certutil/helpers.go +++ b/sdk/helper/certutil/helpers.go @@ -36,9 +36,9 @@ import ( const rsaMinimumSecureKeySize = 2048 // Mapping of key types to default key lengths -var defaultAlgorithmKeyBits = map[string]int { +var defaultAlgorithmKeyBits = map[string]int{ "rsa": 2048, - "ec": 256, + "ec": 256, } // Mapping of NIST P-Curve's key length to expected signature bits. @@ -370,6 +370,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) { func ParsePublicKeyPEM(data []byte) (interface{}, error) { block, data := pem.Decode(data) if block != nil { + if len(bytes.TrimSpace(data)) > 0 { + return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"} + } var rawKey interface{} var err error if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil { @@ -380,17 +383,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) { } } - if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok { - return rsaPublicKey, nil - } - if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok { - return ecPublicKey, nil - } - if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok { - return edPublicKey, nil + switch key := rawKey.(type) { + case *rsa.PublicKey: + return key, nil + case *ecdsa.PublicKey: + return key, nil + case ed25519.PublicKey: + return key, nil } } - return nil, errors.New("data does not contain any valid public keys") } diff --git a/sdk/logical/translate_response.go b/sdk/logical/translate_response.go index 6f0ff342f..d8642187d 100644 --- a/sdk/logical/translate_response.go +++ b/sdk/logical/translate_response.go @@ -134,8 +134,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) { } // Marshaling a response will always be a JSON object, meaning it will // always start with '{', so we hijack this to prepend necessary values - // Make a guess at the capacity, and write the object opener - buf := bytes.NewBuffer(make([]byte, 0, len(j)*2)) + + var buf bytes.Buffer buf.WriteRune('{') for k, v := range h.Response.Data { // Marshal each key/value individually diff --git a/vault/auth.go b/vault/auth.go index bb1d950a2..ef10a3786 100644 --- a/vault/auth.go +++ b/vault/auth.go @@ -817,7 +817,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV } // Set up conf to pass in plugin_name - conf := make(map[string]string, len(entry.Options)+1) + conf := make(map[string]string) for k, v := range entry.Options { conf[k] = v } diff --git a/vault/barrier_aes_gcm.go b/vault/barrier_aes_gcm.go index c4023559b..7056d8fa3 100644 --- a/vault/barrier_aes_gcm.go +++ b/vault/barrier_aes_gcm.go @@ -10,6 +10,7 @@ import ( "errors" "fmt" "io" + "math" "strconv" "strings" "sync" @@ -959,10 +960,13 @@ func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) { func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) { // Allocate the output buffer with room for tern, version byte, // nonce, GCM tag and the plaintext - capacity := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + len(plain) - if capacity < 0 { + + extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + if len(plain) > math.MaxInt-extra { return nil, ErrPlaintextTooLarge } + + capacity := len(plain) + extra size := termSize + 1 + gcm.NonceSize() out := make([]byte, size, capacity) diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go index 751fc84c5..6ff810c75 100644 --- a/vault/identity_store_oidc.go +++ b/vault/identity_store_oidc.go @@ -1700,7 +1700,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor return now, err } - usedKeys := make([]string, 0, 2*len(namedKeys)) + usedKeys := make([]string, 0) for _, k := range namedKeys { entry, err := s.Get(ctx, namedKeyConfigPath+k) diff --git a/vault/mount.go b/vault/mount.go index 4910660b3..ac2b501aa 100644 --- a/vault/mount.go +++ b/vault/mount.go @@ -1374,7 +1374,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView } // Set up conf to pass in plugin_name - conf := make(map[string]string, len(entry.Options)+1) + conf := make(map[string]string) for k, v := range entry.Options { conf[k] = v }