feat: workflow to verify security using GoSec (#747)

* feat: workflow to valid security using GoSec

* Update security.yml

* Fix gosec problems

These are all either false positives or os.Open operations done on
filenames supplied by the fasthttp user which we have to assume is safe.

* Just ignore some rules globally

* Fix more warnings

* No more warnings

Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>

.github/workflows/security.yml

@@ -0,0 +1,18 @@
+on: [push, pull_request]
+name: Security
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.13.x, 1.14.x]
+        platform: [ubuntu-latest]
+    runs-on: ${{ matrix.platform }}
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Security
+      run: go get github.com/securego/gosec/cmd/gosec; `go env GOPATH`/bin/gosec -exclude=G104,G304 ./...

bytesconv.go

@@ -330,6 +330,7 @@ func lowercaseBytes(b []byte) {
 // Note it may break if string and/or slice header will change
 // in the future go versions.
 func b2s(b []byte) string {
+	/* #nosec G103 */
 	return *(*string)(unsafe.Pointer(&b))
 }
 
@@ -338,7 +339,9 @@ func b2s(b []byte) string {
 // Note it may break if string and/or slice header will change
 // in the future go versions.
 func s2b(s string) (b []byte) {
+	/* #nosec G103 */
 	bh := (*reflect.SliceHeader)(unsafe.Pointer(&b))
+	/* #nosec G103 */
 	sh := *(*reflect.StringHeader)(unsafe.Pointer(&s))
 	bh.Data = sh.Data
 	bh.Len = sh.Len

client.go

@@ -1506,34 +1506,7 @@ func newClientTLSConfig(c *tls.Config, addr string) *tls.Config {
 	if c == nil {
 		c = &tls.Config{}
 	} else {
-		// TODO: substitute this with c.Clone() after go1.8 becomes mainstream :)
-		c = &tls.Config{
-			Rand:              c.Rand,
-			Time:              c.Time,
-			Certificates:      c.Certificates,
-			NameToCertificate: c.NameToCertificate,
-			GetCertificate:    c.GetCertificate,
-			RootCAs:           c.RootCAs,
-			NextProtos:        c.NextProtos,
-			ServerName:        c.ServerName,
-
-			// Do not copy ClientAuth, since it is server-related stuff
-			// Do not copy ClientCAs, since it is server-related stuff
-
-			InsecureSkipVerify: c.InsecureSkipVerify,
-			CipherSuites:       c.CipherSuites,
-
-			// Do not copy PreferServerCipherSuites - this is server stuff
-
-			SessionTicketsDisabled: c.SessionTicketsDisabled,
-
-			// Do not copy SessionTicketKey - this is server stuff
-
-			ClientSessionCache: c.ClientSessionCache,
-			MinVersion:         c.MinVersion,
-			MaxVersion:         c.MaxVersion,
-			CurvePreferences:   c.CurvePreferences,
-		}
+		c = c.Clone()
 	}
 
 	if c.ClientSessionCache == nil {

fasthttputil/inmemory_listener.go

@@ -84,8 +84,8 @@ func (ln *InmemoryListener) Dial() (net.Conn, error) {
 		// Wait until the connection has been accepted.
 		<-accepted
 	} else {
-		sConn.Close()
-		cConn.Close()
+		sConn.Close() //nolint:errcheck
+		cConn.Close() //nolint:errcheck
 		cConn = nil
 	}
 	ln.lock.Unlock()

prefork/prefork.go

@@ -122,6 +122,7 @@ func (p *Prefork) prefork(addr string) error {
 	}
 
 	for i := 0; i < runtime.GOMAXPROCS(0); i++ {
+		/* #nosec G204 */
 		cmd := exec.Command(os.Args[0], append(os.Args[1:], preforkChildFlag)...)
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr