Vault-3991 Code Scanning Alerts Changes (#13667)
* code scanning alerts changes * adding changelog
This commit is contained in:
parent
529e619bb5
commit
319a76d8d1
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
core: Fixes code scanning alerts
|
||||||
|
```
|
|
@ -4,6 +4,7 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"flag"
|
"flag"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"math"
|
||||||
"os"
|
"os"
|
||||||
"sort"
|
"sort"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
@ -246,9 +247,11 @@ func (i *intValue) Set(s string) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if v >= math.MinInt && v <= math.MaxInt {
|
||||||
*i.target = int(v)
|
*i.target = int(v)
|
||||||
return nil
|
return nil
|
||||||
|
}
|
||||||
|
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for int32", v)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (i *intValue) Get() interface{} { return int(*i.target) }
|
func (i *intValue) Get() interface{} { return int(*i.target) }
|
||||||
|
@ -374,9 +377,12 @@ func (i *uintValue) Set(s string) error {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if v > 0 && v <= math.MaxUint {
|
||||||
*i.target = uint(v)
|
*i.target = uint(v)
|
||||||
return nil
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for uint32", v)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (i *uintValue) Get() interface{} { return uint(*i.target) }
|
func (i *uintValue) Get() interface{} { return uint(*i.target) }
|
||||||
|
|
|
@ -36,7 +36,7 @@ import (
|
||||||
const rsaMinimumSecureKeySize = 2048
|
const rsaMinimumSecureKeySize = 2048
|
||||||
|
|
||||||
// Mapping of key types to default key lengths
|
// Mapping of key types to default key lengths
|
||||||
var defaultAlgorithmKeyBits = map[string]int {
|
var defaultAlgorithmKeyBits = map[string]int{
|
||||||
"rsa": 2048,
|
"rsa": 2048,
|
||||||
"ec": 256,
|
"ec": 256,
|
||||||
}
|
}
|
||||||
|
@ -370,6 +370,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) {
|
||||||
func ParsePublicKeyPEM(data []byte) (interface{}, error) {
|
func ParsePublicKeyPEM(data []byte) (interface{}, error) {
|
||||||
block, data := pem.Decode(data)
|
block, data := pem.Decode(data)
|
||||||
if block != nil {
|
if block != nil {
|
||||||
|
if len(bytes.TrimSpace(data)) > 0 {
|
||||||
|
return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"}
|
||||||
|
}
|
||||||
var rawKey interface{}
|
var rawKey interface{}
|
||||||
var err error
|
var err error
|
||||||
if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
|
if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
|
||||||
|
@ -380,17 +383,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok {
|
switch key := rawKey.(type) {
|
||||||
return rsaPublicKey, nil
|
case *rsa.PublicKey:
|
||||||
}
|
return key, nil
|
||||||
if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok {
|
case *ecdsa.PublicKey:
|
||||||
return ecPublicKey, nil
|
return key, nil
|
||||||
}
|
case ed25519.PublicKey:
|
||||||
if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok {
|
return key, nil
|
||||||
return edPublicKey, nil
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil, errors.New("data does not contain any valid public keys")
|
return nil, errors.New("data does not contain any valid public keys")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -134,8 +134,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) {
|
||||||
}
|
}
|
||||||
// Marshaling a response will always be a JSON object, meaning it will
|
// Marshaling a response will always be a JSON object, meaning it will
|
||||||
// always start with '{', so we hijack this to prepend necessary values
|
// always start with '{', so we hijack this to prepend necessary values
|
||||||
// Make a guess at the capacity, and write the object opener
|
|
||||||
buf := bytes.NewBuffer(make([]byte, 0, len(j)*2))
|
var buf bytes.Buffer
|
||||||
buf.WriteRune('{')
|
buf.WriteRune('{')
|
||||||
for k, v := range h.Response.Data {
|
for k, v := range h.Response.Data {
|
||||||
// Marshal each key/value individually
|
// Marshal each key/value individually
|
||||||
|
|
|
@ -817,7 +817,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set up conf to pass in plugin_name
|
// Set up conf to pass in plugin_name
|
||||||
conf := make(map[string]string, len(entry.Options)+1)
|
conf := make(map[string]string)
|
||||||
for k, v := range entry.Options {
|
for k, v := range entry.Options {
|
||||||
conf[k] = v
|
conf[k] = v
|
||||||
}
|
}
|
||||||
|
|
|
@ -10,6 +10,7 @@ import (
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
"math"
|
||||||
"strconv"
|
"strconv"
|
||||||
"strings"
|
"strings"
|
||||||
"sync"
|
"sync"
|
||||||
|
@ -959,10 +960,13 @@ func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
|
||||||
func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
|
func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
|
||||||
// Allocate the output buffer with room for tern, version byte,
|
// Allocate the output buffer with room for tern, version byte,
|
||||||
// nonce, GCM tag and the plaintext
|
// nonce, GCM tag and the plaintext
|
||||||
capacity := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + len(plain)
|
|
||||||
if capacity < 0 {
|
extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
|
||||||
|
if len(plain) > math.MaxInt-extra {
|
||||||
return nil, ErrPlaintextTooLarge
|
return nil, ErrPlaintextTooLarge
|
||||||
}
|
}
|
||||||
|
|
||||||
|
capacity := len(plain) + extra
|
||||||
size := termSize + 1 + gcm.NonceSize()
|
size := termSize + 1 + gcm.NonceSize()
|
||||||
out := make([]byte, size, capacity)
|
out := make([]byte, size, capacity)
|
||||||
|
|
||||||
|
|
|
@ -1700,7 +1700,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
|
||||||
return now, err
|
return now, err
|
||||||
}
|
}
|
||||||
|
|
||||||
usedKeys := make([]string, 0, 2*len(namedKeys))
|
usedKeys := make([]string, 0)
|
||||||
|
|
||||||
for _, k := range namedKeys {
|
for _, k := range namedKeys {
|
||||||
entry, err := s.Get(ctx, namedKeyConfigPath+k)
|
entry, err := s.Get(ctx, namedKeyConfigPath+k)
|
||||||
|
|
|
@ -1374,7 +1374,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set up conf to pass in plugin_name
|
// Set up conf to pass in plugin_name
|
||||||
conf := make(map[string]string, len(entry.Options)+1)
|
conf := make(map[string]string)
|
||||||
for k, v := range entry.Options {
|
for k, v := range entry.Options {
|
||||||
conf[k] = v
|
conf[k] = v
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue