Skip to content

Commit

Permalink
fix: address cosmos-gosec lint issues (#1153)
Browse files Browse the repository at this point in the history
* add cosmos go sec makefile command

* first wave fix

* wave 2

* wave 3

* wave 4

* goimports

* fix typo

* fix error build

* fix websocket

* fix proof

* fix flags

* format

* conflict 2

* fix arguments

* solve remaining

* ci test

* make generate
  • Loading branch information
lumtis authored Oct 2, 2023
1 parent 5bbd1da commit 7991fad
Show file tree
Hide file tree
Showing 77 changed files with 530 additions and 138 deletions.
7 changes: 4 additions & 3 deletions .github/workflows/sast-linters.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,9 +56,10 @@ jobs:
# uses: ./.github/actions/install-dependencies

- name: Run Cosmos Gosec Security Scanner
uses: cosmos/gosec@master
with:
args: './... -include=G701,G703,G704' # Disabled G702 as it doesn't seem to be relevant 2023-09-14
run: make lint-cosmos-gosec
# uses: cosmos/gosec@master
# with:
# args: '-include=G701,G703,G704 ./...' # Disabled G702 as it doesn't seem to be relevant 2023-09-14


git-guardian:
Expand Down
3 changes: 3 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,9 @@ lint-pre:
lint: lint-pre
@golangci-lint run

lint-cosmos-gosec:
@bash ./scripts/cosmos-gosec.sh

proto:
@echo "--> Removing old Go types "
@find . -name '*.pb.go' -type f -delete
Expand Down
5 changes: 4 additions & 1 deletion app/ante/ante.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,10 @@ func NewAnteHandler(options ethante.HandlerOptions) (sdk.AnteHandler, error) {

func Recover(logger tmlog.Logger, err *error) {
if r := recover(); r != nil {
*err = errorsmod.Wrapf(errortypes.ErrPanic, "%v", r)
if err != nil {
// #nosec G703 err is checked non-nil above
*err = errorsmod.Wrapf(errortypes.ErrPanic, "%v", r)
}

if e, ok := r.(error); ok {
logger.Error(
Expand Down
15 changes: 12 additions & 3 deletions app/export.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,14 +111,23 @@ func (app *App) prepForZeroHeightGenesis(ctx sdk.Context, jailAllowedAddrs []str
feePool.CommunityPool = feePool.CommunityPool.Add(scraps...)
app.DistrKeeper.SetFeePool(ctx, feePool)

_ = app.DistrKeeper.Hooks().AfterValidatorCreated(ctx, val.GetOperator())
err := app.DistrKeeper.Hooks().AfterValidatorCreated(ctx, val.GetOperator())
if err != nil {
panic(err)
}
return false
})

// reinitialize all delegations
for _, del := range dels {
_ = app.DistrKeeper.Hooks().BeforeDelegationCreated(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
_ = app.DistrKeeper.Hooks().AfterDelegationModified(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
err := app.DistrKeeper.Hooks().BeforeDelegationCreated(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
if err != nil {
panic(err)
}
err = app.DistrKeeper.Hooks().AfterDelegationModified(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
if err != nil {
panic(err)
}
}

// reset context height
Expand Down
5 changes: 4 additions & 1 deletion cmd/zetaclientd/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,10 @@ func init() {
}

func Initialize(_ *cobra.Command, _ []string) error {
setHomeDir()
err := setHomeDir()
if err != nil {
return err
}

//Create new config struct
configData := config.New()
Expand Down
6 changes: 5 additions & 1 deletion cmd/zetaclientd/p2p_diagnostics.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,11 @@ func RunDiagnostics(startLogger zerolog.Logger, peers p2p.AddrList, bridgePk cry

var wg sync.WaitGroup
for _, peerAddr := range peers {
peerinfo, _ := peer.AddrInfoFromP2pAddr(peerAddr)
peerinfo, err := peer.AddrInfoFromP2pAddr(peerAddr)
if err != nil {
startLogger.Error().Err(err).Msgf("fail to parse peer address %s", peerAddr)
continue
}
wg.Add(1)
go func() {
defer wg.Done()
Expand Down
6 changes: 4 additions & 2 deletions cmd/zetaclientd/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ type rootArguments struct {
zetaCoreHome string
}

func setHomeDir() {
rootArgs.zetaCoreHome, _ = RootCmd.Flags().GetString(tmcli.HomeFlag)
func setHomeDir() error {
var err error
rootArgs.zetaCoreHome, err = RootCmd.Flags().GetString(tmcli.HomeFlag)
return err
}
13 changes: 11 additions & 2 deletions cmd/zetaclientd/start.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,13 @@ func init() {
}

func start(_ *cobra.Command, _ []string) error {
setHomeDir()
err := setHomeDir()
if err != nil {
return err
}

SetupConfigForTest()

//Load Config file given path
cfg, err := config.Load(rootArgs.zetaCoreHome)
if err != nil {
Expand Down Expand Up @@ -213,7 +218,11 @@ func start(_ *cobra.Command, _ []string) error {
return err
}

userDir, _ := os.UserHomeDir()
userDir, err := os.UserHomeDir()
if err != nil {
log.Error().Err(err).Msg("os.UserHomeDir")
return err
}
dbpath := filepath.Join(userDir, ".zetaclient/chainobserver")

// CreateChainClientMap : This creates a map of all chain clients . Each chain client is responsible for listening to events on the chain and processing them
Expand Down
36 changes: 28 additions & 8 deletions cmd/zetacore_utils/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,14 +34,23 @@ type TokenDistribution struct {
}

func main() {
file, _ := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "address-list.json"))
file, err := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "address-list.json"))
if err != nil {
panic(err)
}
addresses, err := readLines(file)
if err != nil {
panic(err)
}
addresses = removeDuplicates(addresses)
fileS, _ := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "successful_address.json"))
fileF, _ := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "failed_address.json"))
fileS, err := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "successful_address.json"))
if err != nil {
panic(err)
}
fileF, err := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "failed_address.json"))
if err != nil {
panic(err)
}

distributionList := make([]TokenDistribution, len(addresses))
for i, address := range addresses {
Expand Down Expand Up @@ -111,11 +120,22 @@ func main() {
failedDistributions = append(failedDistributions, distribution)
}
}
successFile, _ := json.MarshalIndent(successfullDistributions, "", " ")
_ = os.WriteFile(fileS, successFile, 0600)
failedFile, _ := json.MarshalIndent(failedDistributions, "", " ")
_ = os.WriteFile(fileF, failedFile, 0600)

successFile, err := json.MarshalIndent(successfullDistributions, "", " ")
if err != nil {
panic(err)
}
err = os.WriteFile(fileS, successFile, 0600)
if err != nil {
panic(err)
}
failedFile, err := json.MarshalIndent(failedDistributions, "", " ")
if err != nil {
panic(err)
}
err = os.WriteFile(fileF, failedFile, 0600)
if err != nil {
panic(err)
}
}

func readLines(path string) ([]string, error) {
Expand Down
10 changes: 8 additions & 2 deletions cmd/zetacored/collect_observer_info.go
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,14 @@ func CollectObserverInfoCmd() *cobra.Command {
}
observerInfoList = append(observerInfoList, observerInfo)
}
file, _ := json.MarshalIndent(observerInfoList, "", " ")
_ = os.WriteFile("observer_info.json", file, 0600)
file, err := json.MarshalIndent(observerInfoList, "", " ")
if err != nil {
return err
}
err = os.WriteFile("observer_info.json", file, 0600)
if err != nil {
return err
}
return nil
},
}
Expand Down
5 changes: 4 additions & 1 deletion cmd/zetacored/parsers.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,10 @@ type ObserverInfoReader struct {
}

func (o ObserverInfoReader) String() string {
s, _ := json.MarshalIndent(o, "", "\t")
s, err := json.MarshalIndent(o, "", "\t")
if err != nil {
return ""
}
return string(s)
}

Expand Down
10 changes: 10 additions & 0 deletions common/ethereum/proof.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,11 @@ func (m *Proof) Get(key []byte) ([]byte, error) {
// Typically, the rootHash is from a trusted source (e.g. a trusted block header),
// and the key is the index of the transaction in the block.
func (m *Proof) Verify(rootHash common.Hash, key int) ([]byte, error) {
if key < 0 {
return nil, errors.New("key not found")
}
var indexBuf []byte
// #nosec G701 range is valid
indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(key))
return trie.VerifyProof(rootHash, indexBuf, m)
}
Expand All @@ -126,7 +130,11 @@ func encodeForDerive(list types.DerivableList, i int, buf *bytes.Buffer) []byte
}

func (t *Trie) GenerateProof(txIndex int) (*Proof, error) {
if txIndex < 0 {
return nil, errors.New("transaction index out of range")
}
var indexBuf []byte
// #nosec G701 checked as non-negative
indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(txIndex))
proof := NewProof()
err := t.Prove(indexBuf, 0, proof)
Expand All @@ -150,6 +158,7 @@ func NewTrie(list types.DerivableList) Trie {
// order is correct.
var indexBuf []byte
for i := 1; i < list.Len() && i <= 0x7f; i++ {
// #nosec G701 iterator
indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(i))
value := encodeForDerive(list, i, valueBuf)
hasher.Update(indexBuf, value)
Expand All @@ -160,6 +169,7 @@ func NewTrie(list types.DerivableList) Trie {
hasher.Update(indexBuf, value)
}
for i := 0x80; i < list.Len(); i++ {
// #nosec G701 iterator
indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(i))
value := encodeForDerive(list, i, valueBuf)
hasher.Update(indexBuf, value)
Expand Down
5 changes: 3 additions & 2 deletions contrib/localnet/orchestrator/smoketest/test_deposit_eth.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,12 @@ package main
import (
"context"
"fmt"
"github.com/zeta-chain/zetacore/common/ethereum"
observertypes "github.com/zeta-chain/zetacore/x/observer/types"
"math/big"
"time"

"github.com/zeta-chain/zetacore/common/ethereum"
observertypes "github.com/zeta-chain/zetacore/x/observer/types"

"github.com/ethereum/go-ethereum/accounts/abi/bind"
ethcommon "github.com/ethereum/go-ethereum/common"
ethtypes "github.com/ethereum/go-ethereum/core/types"
Expand Down
5 changes: 3 additions & 2 deletions contrib/localnet/orchestrator/smoketest/utils.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,12 @@ import (
"encoding/hex"
"errors"
"fmt"
rpchttp "github.com/tendermint/tendermint/rpc/client/http"
coretypes "github.com/tendermint/tendermint/rpc/core/types"
"sync"
"time"

rpchttp "github.com/tendermint/tendermint/rpc/client/http"
coretypes "github.com/tendermint/tendermint/rpc/core/types"

"github.com/ethereum/go-ethereum"

"github.com/btcsuite/btcd/chaincfg"
Expand Down
17 changes: 11 additions & 6 deletions contrib/rpctest/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,10 +51,15 @@ func main() {
fmt.Printf("Start testing the zEVM ETH JSON-RPC for all txs...\n")
fmt.Printf("Test1: simple gas voter tx\n")

bn, err := strconv.Atoi(os.Args[1])
bn, err := strconv.ParseInt(os.Args[1], 10, 64)
if err != nil {
panic(err)
}
if bn < 0 {
panic("Block number must be non-negative")
}
// #nosec G701 check as positive
bnUint64 := uint64(bn)

if false {
// THIS WOULD NOT WORK: see https://github.com/zeta-chain/zeta-node/pull/445
Expand All @@ -64,7 +69,7 @@ func main() {
panic(err)
}

block, err := zevmClient.BlockByNumber(context.Background(), big.NewInt(int64(bn)))
block, err := zevmClient.BlockByNumber(context.Background(), big.NewInt(bn))
if err != nil {
panic(err)
}
Expand All @@ -76,7 +81,7 @@ func main() {
Endpoint: "http://localhost:8545",
HTTPClient: &http.Client{},
}
resp := client.EthGetBlockByNumber(uint64(bn), false)
resp := client.EthGetBlockByNumber(bnUint64, false)
var jsonObject map[string]interface{}
if resp.Error != nil {
fmt.Printf("Error: %s (code %d)\n", resp.Error.Message, resp.Error.Code)
Expand Down Expand Up @@ -118,7 +123,7 @@ func main() {
// HeaderByHash works; BlockByHash does not work;
// main offending RPC is the transaction type; we have custom type id 56
// which is not recognized by the go-ethereum client.
blockHeader, err := zevmClient.HeaderByNumber(context.Background(), big.NewInt(int64(bn)))
blockHeader, err := zevmClient.HeaderByNumber(context.Background(), big.NewInt(bn))
if err != nil {
panic(err)
}
Expand Down Expand Up @@ -209,9 +214,9 @@ func main() {
panic(err)
}
fmt.Printf("Gas price: %s\n", gas.String())
toBlock := uint64(bn)
toBlock := bnUint64
gasPriceIter, err := sys.FilterSetGasPrice(&bind.FilterOpts{
Start: uint64(bn),
Start: bnUint64,
End: &toBlock,
})
if err != nil {
Expand Down
6 changes: 6 additions & 0 deletions rpc/backend/account_info.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ func (b *Backend) GetProof(address common.Address, storageKeys []string, blockNr
return nil, fmt.Errorf("not able to query block number greater than MaxInt64")
}

// #nosec G701 range checked
height = int64(bn)
}

Expand Down Expand Up @@ -194,8 +195,13 @@ func (b *Backend) GetTransactionCount(address common.Address, blockNum rpctypes.
if err != nil {
return &n, err
}
if bn > math.MaxInt64 {
return nil, fmt.Errorf("not able to query block number greater than MaxInt64")
}
height := blockNum.Int64()
// #nosec G701 range checked
currentHeight := int64(bn)

if height > currentHeight {
return &n, errorsmod.Wrapf(
sdkerrors.ErrInvalidHeight,
Expand Down
Loading

0 comments on commit 7991fad

Please sign in to comment.