Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Enable G404 rule for gosec #13095

Merged
merged 4 commits into from
May 2, 2023
Merged

chore: Enable G404 rule for gosec #13095

merged 4 commits into from
May 2, 2023

Conversation

zak-pawel
Copy link
Collaborator

PR:

  • Introduces github.com/chanxuehong/rand dependency which provides random number/bytes related functions - it has interface very similar to math/rand, except that it prefers to use crypto/rand to implement functions.
  • Enables gosec:G404 rule.
  • Fixes gosec G404: Use of weak random number generator (math/rand instead of crypto/rand) for production code.
  • Ignores mentioned findings for test code.

resolves: #12949

@telegraf-tiger telegraf-tiger bot added the chore label Apr 15, 2023
@zak-pawel zak-pawel requested review from powersj and srebhan April 15, 2023 18:13
@zak-pawel zak-pawel mentioned this pull request Apr 15, 2023
Closed
powersj
powersj reviewed Apr 18, 2023
View reviewed changes
Copy link
Contributor

@powersj powersj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github.com/chanxuehong/rand

Why use this over using "crypto/rand" directly? I realize this is a small addition, but if we can do it without yet another dependency I would prefer that.

@zak-pawel
Copy link
Collaborator Author

github.com/chanxuehong/rand

Why use this over using "crypto/rand" directly? I realize this is a small addition, but if we can do it without yet another dependency I would prefer that.

@powersj
This is API of math/rand:
image

And this is API of crypto/rand:
image

This library provides almost the same API as math/rand but prefers to use crypto/rand.

Alternatively we can write our own wrapper...

@powersj
Copy link
Contributor

powersj commented Apr 18, 2023

I am aware of the larger API. My question is in order to justify the addition of a dependency that has not been updated in 2 years with what appears to be near zero usage can you report how many of those functions we would need to wrap instead?

@zak-pawel
Copy link
Collaborator Author

can you report how many of those functions we would need to wrap instead?

  • rand.Int31n
  • rand.Int63
  • rand.Int63n
  • rand.Intn
  • rand.Float64

@zak-pawel
Copy link
Collaborator Author

@powersj Alternatively, we can just copy these 4-5 files to our repo, review correctness of algorithms (eg. compare with current implementation of math/rand) and have it in Telegraf's codebase.

@powersj
Copy link
Contributor

powersj commented Apr 19, 2023

Thanks for looking into how many functions we actually use.

With only 5 functions I would prefer we have our own copys in internal and not add the external dependency please. I don't think we should wholesale copy that project, but instead just write replacements for those 5 functions.

Thanks again

@zak-pawel
Copy link
Collaborator Author

Thanks for looking into how many functions we actually use.

With only 5 functions I would prefer we have our own copys in internal and not add the external dependency please. I don't think we should wholesale copy that project, but instead just write replacements for those 5 functions.

@powersj
I'm starting to wonder if we really want to do this work to "fix" only these findings? Maybe it is not worth it...

internal/internal.go:128:13                            gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
internal/internal.go:146:13                            gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/example/example.go:106:13               gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/mock/mock.go:69:11                      gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/powerdns_recursor/protocol_v1.go:22:18  gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/powerdns_recursor/protocol_v2.go:20:18  gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/statsd/running_stats.go:84:11           gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/vsphere/endpoint.go:572:13              gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)

@powersj
Copy link
Contributor

powersj commented Apr 19, 2023 

internal/internal.go:128:13                            gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
internal/internal.go:146:13                            gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)

these two are for random sleep and random duration, probably not something that needs to be cryptographically secure, can ignore

plugins/inputs/example/example.go:106:13               gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)

example plugin, don't care about this other than maybe removing it from the example as a bad practice?

plugins/inputs/mock/mock.go:69:11                      gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)

used for generating random, non-critical data, can ignore

plugins/inputs/powerdns_recursor/protocol_v1.go:22:18  gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/powerdns_recursor/protocol_v2.go:20:18  gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)

used to set up socket file with random-ish name, can ignore

plugins/inputs/statsd/running_stats.go:84:11           gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)
plugins/inputs/vsphere/endpoint.go:572:13           gosec  G404: Use of weak random number generator (math/rand instead of crypto/rand)

both pick random index, can ignore

@zak-pawel
Copy link
Collaborator Author

@powersj Do you propose we should not enable this rule at all or we should enable it and ignore all tests occurences (in .golangci.yml) and explicitly ignore all existing occurences in non-test code?

@powersj
Copy link
Contributor

powersj commented Apr 20, 2023

I'd like to hear from @srebhan if he agrees with my assessment above first. However, I am leaning towards not enabling.

@zak-pawel
Copy link
Collaborator Author

@srebhan A penny for your thoughts :)

@srebhan
Copy link
Member

srebhan commented Apr 26, 2023

@srebhan A penny for your thoughts :)

@zak-pawel usually I'm paid in beer... ;-P

In my opinion we should enable G404 to make us aware about weak RNGs during review. Otherwise I would silence the following occurrences without any code change:

  • internal/internal.go:128 and internal/internal.go:146 as not security critical
  • plugins/inputs/mock/mock.go:69 as not security critical
  • plugins/inputs/statsd/running_stats.go:84 as not security critical
  • plugins/inputs/vsphere/endpoint.go:572 as not security critical

For the following occurrences I suggest modifying the code as follows:

  • plugins/inputs/example/example.go:106 change the example to not use random numbers
  • plugins/inputs/powerdns_recursor/protocol_v1.go:22 and plugins/inputs/powerdns_recursor/protocol_v2.go:20 replace the random-number with either a os.CreateTemp construct or a UUID or omit the laddr and get the LocalAddr of the socket (not sure if this works in that case).

Does that help?

@telegraf-tiger
Copy link
Contributor

Download PR build artifacts for linux_amd64.tar.gz, darwin_amd64.tar.gz, and windows_amd64.zip.
Downloads for additional architectures and packages are available below.

🥳 This pull request decreases the Telegraf binary size by -2.33 % for linux amd64 (new size: 168.8 MB, nightly size 172.8 MB)

📦 Click here to get additional PR build artifacts

Artifact URLs

DEB RPM TAR GZ ZIP
amd64.deb aarch64.rpm darwin_amd64.tar.gz windows_amd64.zip
arm64.deb armel.rpm darwin_arm64.tar.gz windows_arm64.zip
armel.deb armv6hl.rpm freebsd_amd64.tar.gz windows_i386.zip
armhf.deb i386.rpm freebsd_armv7.tar.gz
i386.deb ppc64le.rpm freebsd_i386.tar.gz
mips.deb riscv64.rpm linux_amd64.tar.gz
mipsel.deb s390x.rpm linux_arm64.tar.gz
ppc64el.deb x86_64.rpm linux_armel.tar.gz
riscv64.deb linux_armhf.tar.gz
s390x.deb linux_i386.tar.gz
linux_mips.tar.gz
linux_mipsel.tar.gz
linux_ppc64le.tar.gz
linux_riscv64.tar.gz
linux_s390x.tar.gz

@Hipska Hipska added the ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review. label May 2, 2023
srebhan
srebhan approved these changes May 2, 2023
View reviewed changes
Copy link
Member

@srebhan srebhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice. Thanks @zak-pawel!

@srebhan srebhan assigned powersj and unassigned srebhan May 2, 2023
@powersj powersj merged commit 30b6036 into influxdata:master May 2, 2023
powersj pushed a commit that referenced this pull request May 22, 2023
@zak-pawel @powersj
chore: Enable G404 rule for gosec (#13095)
1af7b38 
(cherry picked from commit 30b6036)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Hipska Hipska Hipska approved these changes

@powersj powersj powersj approved these changes

@srebhan srebhan srebhan approved these changes

Assignees

@powersj powersj

Labels
chore linter ready for final review This pull request has been reviewed and/or tested by multiple users and is ready for a final review.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Linter: gosec, Rule: G404 - Insecure random number source (rand). Should we enable it?
4 participants
@zak-pawel @powersj @srebhan @Hipska