From 695f713fcf594b33fd8c126cfa8dc9f119d4391b Mon Sep 17 00:00:00 2001
From: "RENAN.BASTOS" <renanbastos.tec@gmail.com>
Date: Fri, 28 Feb 2020 17:03:48 -0300
Subject: [PATCH] feat: workflow to verify security using GoSec (#747)

* feat: workflow to valid security using GoSec

* Update security.yml

* Fix gosec problems

These are all either false positives or os.Open operations done on
filenames supplied by the fasthttp user which we have to assume is safe.

* Just ignore some rules globally

* Fix more warnings

* No more warnings

Co-authored-by: Erik Dubbelboer <erik@dubbelboer.com>
---
 .github/workflows/security.yml    | 18 ++++++++++++++++++
 bytesconv.go                      |  3 +++
 client.go                         | 29 +----------------------------
 fasthttputil/inmemory_listener.go |  4 ++--
 prefork/prefork.go                |  1 +
 5 files changed, 25 insertions(+), 30 deletions(-)
 create mode 100644 .github/workflows/security.yml

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
new file mode 100644
index 0000000000..4a485e07fe
--- /dev/null
+++ b/.github/workflows/security.yml
@@ -0,0 +1,18 @@
+on: [push, pull_request]
+name: Security
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.13.x, 1.14.x]
+        platform: [ubuntu-latest]
+    runs-on: ${{ matrix.platform }}
+    steps:
+    - name: Install Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: ${{ matrix.go-version }}
+    - name: Checkout code
+      uses: actions/checkout@v2
+    - name: Security
+      run: go get github.com/securego/gosec/cmd/gosec; `go env GOPATH`/bin/gosec -exclude=G104,G304 ./...
diff --git a/bytesconv.go b/bytesconv.go
index e8fbabbb43..a3b82e221d 100644
--- a/bytesconv.go
+++ b/bytesconv.go
@@ -330,6 +330,7 @@ func lowercaseBytes(b []byte) {
 // Note it may break if string and/or slice header will change
 // in the future go versions.
 func b2s(b []byte) string {
+	/* #nosec G103 */
 	return *(*string)(unsafe.Pointer(&b))
 }
 
@@ -338,7 +339,9 @@ func b2s(b []byte) string {
 // Note it may break if string and/or slice header will change
 // in the future go versions.
 func s2b(s string) (b []byte) {
+	/* #nosec G103 */
 	bh := (*reflect.SliceHeader)(unsafe.Pointer(&b))
+	/* #nosec G103 */
 	sh := *(*reflect.StringHeader)(unsafe.Pointer(&s))
 	bh.Data = sh.Data
 	bh.Len = sh.Len
diff --git a/client.go b/client.go
index 961d6c0519..5f63f0963d 100644
--- a/client.go
+++ b/client.go
@@ -1506,34 +1506,7 @@ func newClientTLSConfig(c *tls.Config, addr string) *tls.Config {
 	if c == nil {
 		c = &tls.Config{}
 	} else {
-		// TODO: substitute this with c.Clone() after go1.8 becomes mainstream :)
-		c = &tls.Config{
-			Rand:              c.Rand,
-			Time:              c.Time,
-			Certificates:      c.Certificates,
-			NameToCertificate: c.NameToCertificate,
-			GetCertificate:    c.GetCertificate,
-			RootCAs:           c.RootCAs,
-			NextProtos:        c.NextProtos,
-			ServerName:        c.ServerName,
-
-			// Do not copy ClientAuth, since it is server-related stuff
-			// Do not copy ClientCAs, since it is server-related stuff
-
-			InsecureSkipVerify: c.InsecureSkipVerify,
-			CipherSuites:       c.CipherSuites,
-
-			// Do not copy PreferServerCipherSuites - this is server stuff
-
-			SessionTicketsDisabled: c.SessionTicketsDisabled,
-
-			// Do not copy SessionTicketKey - this is server stuff
-
-			ClientSessionCache: c.ClientSessionCache,
-			MinVersion:         c.MinVersion,
-			MaxVersion:         c.MaxVersion,
-			CurvePreferences:   c.CurvePreferences,
-		}
+		c = c.Clone()
 	}
 
 	if c.ClientSessionCache == nil {
diff --git a/fasthttputil/inmemory_listener.go b/fasthttputil/inmemory_listener.go
index 9997d1cc45..87f8b62746 100644
--- a/fasthttputil/inmemory_listener.go
+++ b/fasthttputil/inmemory_listener.go
@@ -84,8 +84,8 @@ func (ln *InmemoryListener) Dial() (net.Conn, error) {
 		// Wait until the connection has been accepted.
 		<-accepted
 	} else {
-		sConn.Close()
-		cConn.Close()
+		sConn.Close() //nolint:errcheck
+		cConn.Close() //nolint:errcheck
 		cConn = nil
 	}
 	ln.lock.Unlock()
diff --git a/prefork/prefork.go b/prefork/prefork.go
index 8fcc842d18..b7a14701d4 100644
--- a/prefork/prefork.go
+++ b/prefork/prefork.go
@@ -122,6 +122,7 @@ func (p *Prefork) prefork(addr string) error {
 	}
 
 	for i := 0; i < runtime.GOMAXPROCS(0); i++ {
+		/* #nosec G204 */
 		cmd := exec.Command(os.Args[0], append(os.Args[1:], preforkChildFlag)...)
 		cmd.Stdout = os.Stdout
 		cmd.Stderr = os.Stderr