From 9261d7e4df8ccc1ccec69d46caf23620773c9ee5 Mon Sep 17 00:00:00 2001
From: Alexander Weaver <weaver.alex.d@gmail.com>
Date: Tue, 21 Jan 2025 16:04:24 -0600
Subject: [PATCH] chore: Enable gosec G103 (#10474)

* Make YoloBuf non exported and suppress

* mimirpb, advance to newer go utilities and suppress

* Update to newer go constructs and suppress in s-g indexheader

* modernize, avoid deprecated, suppress

* enable rule
---
 .golangci.yml                                 |  1 +
 pkg/mimirpb/timeseries.go                     |  4 ++--
 pkg/storegateway/indexcache/cache.go          | 13 ++-----------
 pkg/storegateway/indexheader/index/symbols.go |  2 +-
 pkg/util/shard.go                             |  9 +++++++--
 pkg/util/shard_test.go                        |  7 +++++++
 pkg/util/yolo.go                              | 12 ------------
 pkg/util/yolo_test.go                         | 18 ------------------
 8 files changed, 20 insertions(+), 46 deletions(-)
 delete mode 100644 pkg/util/yolo.go
 delete mode 100644 pkg/util/yolo_test.go

diff --git a/.golangci.yml b/.golangci.yml
index 9d617567f19..8a29db9f163 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -65,6 +65,7 @@ linters-settings:
 
   gosec:
     includes:
+      - G103
       - G104
       - G108
       - G109
diff --git a/pkg/mimirpb/timeseries.go b/pkg/mimirpb/timeseries.go
index 3726621775e..8a5a32b48d0 100644
--- a/pkg/mimirpb/timeseries.go
+++ b/pkg/mimirpb/timeseries.go
@@ -416,7 +416,7 @@ func (bs *LabelAdapter) Unmarshal(dAtA []byte) error {
 }
 
 func yoloString(buf []byte) string {
-	return *((*string)(unsafe.Pointer(&buf)))
+	return unsafe.String(unsafe.SliceData(buf), len(buf)) // nolint:gosec
 }
 
 // Size implements proto.Sizer.
@@ -673,7 +673,7 @@ func copyToYoloLabels(buf []byte, dst, src []LabelAdapter) ([]LabelAdapter, []by
 // It requires that the buffer has a capacity which is greater than or equal to the length of the source string.
 func copyToYoloString(buf []byte, src string) (string, []byte) {
 	buf = buf[:len(src)]
-	copy(buf, *((*[]byte)(unsafe.Pointer(&src))))
+	copy(buf, unsafe.Slice(unsafe.StringData(src), len(src))) // nolint:gosec
 	return yoloString(buf), buf[len(buf):]
 }
 
diff --git a/pkg/storegateway/indexcache/cache.go b/pkg/storegateway/indexcache/cache.go
index b52a9339ab0..5accc51a1b5 100644
--- a/pkg/storegateway/indexcache/cache.go
+++ b/pkg/storegateway/indexcache/cache.go
@@ -8,7 +8,6 @@ package indexcache
 import (
 	"context"
 	"encoding/base64"
-	"reflect"
 	"sort"
 	"strings"
 	"time"
@@ -157,16 +156,8 @@ const bytesPerPosting = int(unsafe.Sizeof(storage.SeriesRef(0)))
 // unsafeCastPostingsToBytes returns the postings as a slice of bytes with minimal allocations.
 // It casts the memory region of the underlying array to a slice of bytes. The resulting byte slice is only valid as long as the postings slice exists and is unmodified.
 func unsafeCastPostingsToBytes(postings []storage.SeriesRef) []byte {
-	byteSlice := make([]byte, 0)
-	// Ignore deprecation warning for now
-	//nolint:staticcheck
-	slicePtr := (*reflect.SliceHeader)(unsafe.Pointer(&byteSlice))
-	// Ignore deprecation warning for now
-	//nolint:staticcheck
-	slicePtr.Data = (*reflect.SliceHeader)(unsafe.Pointer(&postings)).Data
-	slicePtr.Len = len(postings) * bytesPerPosting
-	slicePtr.Cap = slicePtr.Len
-	return byteSlice
+	underlying := unsafe.Pointer(unsafe.SliceData(postings))                //nolint:gosec
+	return unsafe.Slice((*byte)(underlying), len(postings)*bytesPerPosting) //nolint:gosec
 }
 
 // LabelMatchersKey represents a canonical key for a []*matchers.Matchers slice
diff --git a/pkg/storegateway/indexheader/index/symbols.go b/pkg/storegateway/indexheader/index/symbols.go
index b98f3434577..649e2a43c33 100644
--- a/pkg/storegateway/indexheader/index/symbols.go
+++ b/pkg/storegateway/indexheader/index/symbols.go
@@ -351,5 +351,5 @@ func (r *SymbolsTableReaderV2) Read(o uint32) (string, error) {
 }
 
 func yoloString(b []byte) string {
-	return *((*string)(unsafe.Pointer(&b)))
+	return unsafe.String(unsafe.SliceData(b), len(b)) // nolint:gosec
 }
diff --git a/pkg/util/shard.go b/pkg/util/shard.go
index 522a4d0f897..a156af0faa1 100644
--- a/pkg/util/shard.go
+++ b/pkg/util/shard.go
@@ -9,6 +9,7 @@ import (
 	"crypto/md5"
 	"encoding/binary"
 	"math"
+	"unsafe"
 )
 
 const (
@@ -25,10 +26,10 @@ var (
 func ShuffleShardSeed(identifier, zone string) int64 {
 	// Use the identifier to compute an hash we'll use to seed the random.
 	hasher := md5.New()               //nolint:gosec
-	hasher.Write(YoloBuf(identifier)) // nolint:errcheck
+	hasher.Write(yoloBuf(identifier)) // nolint:errcheck
 	if zone != "" {
 		hasher.Write(seedSeparator) // nolint:errcheck
-		hasher.Write(YoloBuf(zone)) // nolint:errcheck
+		hasher.Write(yoloBuf(zone)) // nolint:errcheck
 	}
 	checksum := hasher.Sum(nil)
 
@@ -48,3 +49,7 @@ func ShuffleShardExpectedInstancesPerZone(shardSize, numZones int) int {
 func ShuffleShardExpectedInstances(shardSize, numZones int) int {
 	return ShuffleShardExpectedInstancesPerZone(shardSize, numZones) * numZones
 }
+
+func yoloBuf(s string) []byte {
+	return unsafe.Slice(unsafe.StringData(s), len(s)) // nolint:gosec
+}
diff --git a/pkg/util/shard_test.go b/pkg/util/shard_test.go
index 240d5c904c1..b49ba40d68c 100644
--- a/pkg/util/shard_test.go
+++ b/pkg/util/shard_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestShuffleShardExpectedInstancesPerZone(t *testing.T) {
@@ -86,3 +87,9 @@ func TestShuffleShardExpectedInstances(t *testing.T) {
 		assert.Equal(t, test.expected, ShuffleShardExpectedInstances(test.shardSize, test.numZones))
 	}
 }
+
+func TestYoloBuf(t *testing.T) {
+	s := yoloBuf("hello world")
+
+	require.Equal(t, []byte("hello world"), s)
+}
diff --git a/pkg/util/yolo.go b/pkg/util/yolo.go
deleted file mode 100644
index 0809eebfb76..00000000000
--- a/pkg/util/yolo.go
+++ /dev/null
@@ -1,12 +0,0 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Provenance-includes-location: https://github.com/cortexproject/cortex/blob/master/pkg/util/yolo.go
-// Provenance-includes-license: Apache-2.0
-// Provenance-includes-copyright: The Cortex Authors.
-
-package util
-
-import "unsafe"
-
-func YoloBuf(s string) []byte {
-	return unsafe.Slice(unsafe.StringData(s), len(s))
-}
diff --git a/pkg/util/yolo_test.go b/pkg/util/yolo_test.go
deleted file mode 100644
index e156679dee5..00000000000
--- a/pkg/util/yolo_test.go
+++ /dev/null
@@ -1,18 +0,0 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Provenance-includes-location: https://github.com/cortexproject/cortex/blob/master/pkg/util/yolo_test.go
-// Provenance-includes-license: Apache-2.0
-// Provenance-includes-copyright: The Cortex Authors.
-
-package util
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestYoloBuf(t *testing.T) {
-	s := YoloBuf("hello world")
-
-	require.Equal(t, []byte("hello world"), s)
-}