From 7f24c5a83553123607e6b319ee42ea578c4e3c0f Mon Sep 17 00:00:00 2001 From: Lucas Bertrand Date: Tue, 13 Feb 2024 18:24:36 +0100 Subject: [PATCH] fix: gosec error for randomness library (#1753) * fix: gosec error for randomness library * use crypto/rand * add changelog entry --------- Co-authored-by: Charlie Chen --- changelog.md | 1 + x/emissions/client/tests/suite.go | 48 +++++++++++++++++++------------ 2 files changed, 31 insertions(+), 18 deletions(-) diff --git a/changelog.md b/changelog.md index 1ad986c8b5..e52668fc8b 100644 --- a/changelog.md +++ b/changelog.md @@ -28,6 +28,7 @@ ### Tests * [1584](https://github.com/zeta-chain/node/pull/1584) - allow to run E2E tests on any networks +* [1753](https://github.com/zeta-chain/node/pull/1753) - fix gosec errors on usage of rand package ### CI diff --git a/x/emissions/client/tests/suite.go b/x/emissions/client/tests/suite.go index 2baea8a338..c13294ddf7 100644 --- a/x/emissions/client/tests/suite.go +++ b/x/emissions/client/tests/suite.go @@ -1,8 +1,10 @@ package querytests import ( - "math/rand" + "crypto/rand" + "math/big" "strconv" + "testing" sdk "github.com/cosmos/cosmos-sdk/types" ethcfg "github.com/evmos/ethermint/cmd/config" @@ -52,7 +54,7 @@ func (s *CliTestSuite) SetupSuite() { "zeta1e9fyaulgntkrnqnl0es4nyxghp3petpn2ntu3t", } network.SetupZetaGenesisState(s.T(), s.cfg.GenesisState, s.cfg.Codec, observerList, false) - s.ballots = RandomBallotGenerator(20, observerList) + s.ballots = RandomBallotGenerator(s.T(), 20, observerList) network.AddObserverData(s.T(), 2, s.cfg.GenesisState, s.cfg.Codec, s.ballots) net, err := network.New(s.T(), app.NodeDir, s.cfg) @@ -63,32 +65,42 @@ func (s *CliTestSuite) SetupSuite() { } -func CreateRandomVoteList(numberOfVotes int) []observerTypes.VoteType { +func CreateRandomVoteList(t *testing.T, numberOfVotes int) []observerTypes.VoteType { voteOptions := []observerTypes.VoteType{observerTypes.VoteType_SuccessObservation, observerTypes.VoteType_FailureObservation, observerTypes.VoteType_NotYetVoted} - min := 0 - max := len(voteOptions) - 1 + minVoterOptions := 0 + maxBoterOptions := len(voteOptions) - 1 + + randomVoteOptions, err := rand.Int(rand.Reader, big.NewInt(int64(maxBoterOptions-minVoterOptions))) + if err != nil { + t.Fatal(err) + } + voteList := make([]observerTypes.VoteType, numberOfVotes) for i := 0; i < numberOfVotes; i++ { - voteList[i] = voteOptions[rand.Intn(max-min)+min] // #nosec G404 + voteList[i] = voteOptions[randomVoteOptions.Int64()] } return voteList } -func RandomBallotGenerator(numberOfBallots int, voterList []string) []*observerTypes.Ballot { +func RandomBallotGenerator(t *testing.T, numberOfBallots int, voterList []string) []*observerTypes.Ballot { ballots := make([]*observerTypes.Ballot, numberOfBallots) ballotStatus := []observerTypes.BallotStatus{observerTypes.BallotStatus_BallotFinalized_FailureObservation, observerTypes.BallotStatus_BallotFinalized_SuccessObservation} - min := 0 - max := len(ballotStatus) - 1 - // #nosec G404 randomness is not a security issue here + minBallotStatus := 0 + maxBallotStatus := len(ballotStatus) - 1 + + randomBallotStatus, err := rand.Int(rand.Reader, big.NewInt(int64(maxBallotStatus-minBallotStatus))) + if err != nil { + t.Fatal(err) + } + for i := 0; i < numberOfBallots; i++ { ballots[i] = &observerTypes.Ballot{ - Index: "", - BallotIdentifier: "TestBallot" + strconv.Itoa(i), - VoterList: voterList, - Votes: CreateRandomVoteList(len(voterList)), - ObservationType: observerTypes.ObservationType_InBoundTx, - BallotThreshold: sdk.MustNewDecFromStr("0.66"), - // #nosec G404 randomness used for testing - BallotStatus: ballotStatus[rand.Intn(max-min)+min], + Index: "", + BallotIdentifier: "TestBallot" + strconv.Itoa(i), + VoterList: voterList, + Votes: CreateRandomVoteList(t, len(voterList)), + ObservationType: observerTypes.ObservationType_InBoundTx, + BallotThreshold: sdk.MustNewDecFromStr("0.66"), + BallotStatus: ballotStatus[randomBallotStatus.Int64()], BallotCreationHeight: 0, } }