Vault-3991 Code Scanning Alerts Changes (#13667)

* code scanning alerts changes

* adding changelog
This commit is contained in:
akshya96 2022-01-14 15:35:27 -08:00 committed by GitHub
parent 529e619bb5
commit 319a76d8d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 37 additions and 23 deletions

3
changelog/13667.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
core: Fixes code scanning alerts
```

View File

@ -4,6 +4,7 @@ import (
"errors" "errors"
"flag" "flag"
"fmt" "fmt"
"math"
"os" "os"
"sort" "sort"
"strconv" "strconv"
@ -246,9 +247,11 @@ func (i *intValue) Set(s string) error {
if err != nil { if err != nil {
return err return err
} }
if v >= math.MinInt && v <= math.MaxInt {
*i.target = int(v) *i.target = int(v)
return nil return nil
}
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for int32", v)
} }
func (i *intValue) Get() interface{} { return int(*i.target) } func (i *intValue) Get() interface{} { return int(*i.target) }
@ -374,9 +377,12 @@ func (i *uintValue) Set(s string) error {
if err != nil { if err != nil {
return err return err
} }
if v > 0 && v <= math.MaxUint {
*i.target = uint(v) *i.target = uint(v)
return nil return nil
}
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for uint32", v)
} }
func (i *uintValue) Get() interface{} { return uint(*i.target) } func (i *uintValue) Get() interface{} { return uint(*i.target) }

View File

@ -36,7 +36,7 @@ import (
const rsaMinimumSecureKeySize = 2048 const rsaMinimumSecureKeySize = 2048
// Mapping of key types to default key lengths // Mapping of key types to default key lengths
var defaultAlgorithmKeyBits = map[string]int { var defaultAlgorithmKeyBits = map[string]int{
"rsa": 2048, "rsa": 2048,
"ec": 256, "ec": 256,
} }
@ -370,6 +370,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) {
func ParsePublicKeyPEM(data []byte) (interface{}, error) { func ParsePublicKeyPEM(data []byte) (interface{}, error) {
block, data := pem.Decode(data) block, data := pem.Decode(data)
if block != nil { if block != nil {
if len(bytes.TrimSpace(data)) > 0 {
return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"}
}
var rawKey interface{} var rawKey interface{}
var err error var err error
if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil { if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
@ -380,17 +383,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
} }
} }
if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok { switch key := rawKey.(type) {
return rsaPublicKey, nil case *rsa.PublicKey:
} return key, nil
if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok { case *ecdsa.PublicKey:
return ecPublicKey, nil return key, nil
} case ed25519.PublicKey:
if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok { return key, nil
return edPublicKey, nil
} }
} }
return nil, errors.New("data does not contain any valid public keys") return nil, errors.New("data does not contain any valid public keys")
} }

View File

@ -134,8 +134,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) {
} }
// Marshaling a response will always be a JSON object, meaning it will // Marshaling a response will always be a JSON object, meaning it will
// always start with '{', so we hijack this to prepend necessary values // always start with '{', so we hijack this to prepend necessary values
// Make a guess at the capacity, and write the object opener
buf := bytes.NewBuffer(make([]byte, 0, len(j)*2)) var buf bytes.Buffer
buf.WriteRune('{') buf.WriteRune('{')
for k, v := range h.Response.Data { for k, v := range h.Response.Data {
// Marshal each key/value individually // Marshal each key/value individually

View File

@ -817,7 +817,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
} }
// Set up conf to pass in plugin_name // Set up conf to pass in plugin_name
conf := make(map[string]string, len(entry.Options)+1) conf := make(map[string]string)
for k, v := range entry.Options { for k, v := range entry.Options {
conf[k] = v conf[k] = v
} }

View File

@ -10,6 +10,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"io" "io"
"math"
"strconv" "strconv"
"strings" "strings"
"sync" "sync"
@ -959,10 +960,13 @@ func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) { func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
// Allocate the output buffer with room for tern, version byte, // Allocate the output buffer with room for tern, version byte,
// nonce, GCM tag and the plaintext // nonce, GCM tag and the plaintext
capacity := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + len(plain)
if capacity < 0 { extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
if len(plain) > math.MaxInt-extra {
return nil, ErrPlaintextTooLarge return nil, ErrPlaintextTooLarge
} }
capacity := len(plain) + extra
size := termSize + 1 + gcm.NonceSize() size := termSize + 1 + gcm.NonceSize()
out := make([]byte, size, capacity) out := make([]byte, size, capacity)

View File

@ -1700,7 +1700,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
return now, err return now, err
} }
usedKeys := make([]string, 0, 2*len(namedKeys)) usedKeys := make([]string, 0)
for _, k := range namedKeys { for _, k := range namedKeys {
entry, err := s.Get(ctx, namedKeyConfigPath+k) entry, err := s.Get(ctx, namedKeyConfigPath+k)

View File

@ -1374,7 +1374,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
} }
// Set up conf to pass in plugin_name // Set up conf to pass in plugin_name
conf := make(map[string]string, len(entry.Options)+1) conf := make(map[string]string)
for k, v := range entry.Options { for k, v := range entry.Options {
conf[k] = v conf[k] = v
} }