chore: Reenable gosec linter and upgrade TLS version.

We already configure Read timeouts in the server, so we should be unaffected by the Slowloris DOS attack. We use math/rand in a place where it won't affect security, so disabling the linter for those lines is fine. TLS version is upgraded as most clients should use TLS 1.2 by default anyway. A lot of applications/vendors have already deprecated TLS 1.0. BREAKING: no longer support TLS 1.0
ContentSquare · Nov 28, 2022 · 1f52128 · 1f52128
1 parent 97b5b39
commit 1f52128
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 2 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -43,6 +43,7 @@ linters:
     - unused
     - varcheck
     - whitespace
+    - gosec
   disable:
     # Should be readded in the future with a dedicated PR to do the fix
     - cyclop
@@ -51,7 +52,6 @@ linters:
     - funlen
     - gocognit
     - gofumpt
-    - gosec
     - govet
     - ifshort
     - ineffassign

diff --git a/cache/filesystem_cache.go b/cache/filesystem_cache.go
@@ -273,6 +273,7 @@ func (f *fileSystemCache) clean() {
 	//
 	// Seed the generator with the current time in order to randomize
 	// set of files to be removed below.
+	// nolint:gosec // not security sensitve, only used internally.
 	rnd := rand.New(rand.NewSource(time.Now().UnixNano()))
 
 	for totalSize > f.maxSize && loopsCount < 3 {

diff --git a/cache/redis_cache.go b/cache/redis_cache.go
@@ -251,6 +251,7 @@ func (r *redisCache) Put(reader io.Reader, contentMetadata ContentMetadata, key
 	stringKey := key.String()
 	// in order to make the streaming operation atomic, chproxy streams into a temporary key (only known by the current goroutine)
 	// then it switches the full result to the "real" stringKey available for other goroutines
+	// nolint:gosec // not security sensitve, only used internally.
 	random := strconv.Itoa(rand.Int())
 	stringKeyTmp := stringKey + random + "_tmp"
 

diff --git a/main.go b/main.go
@@ -171,6 +171,7 @@ func serve(cfg config.HTTP) {
 func newTLSConfig(cfg config.HTTPS) *tls.Config {
 	tlsCfg := tls.Config{
 		PreferServerCipherSuites: true,
+		MinVersion:               tls.VersionTLS12,
 		CurvePreferences: []tls.CurveID{
 			tls.CurveP256,
 			tls.X25519,
@@ -193,13 +194,13 @@ func newTLSConfig(cfg config.HTTPS) *tls.Config {
 }
 
 func newServer(ln net.Listener, h http.Handler, cfg config.TimeoutCfg) *http.Server {
+	// nolint:gosec // We already configured ReadTimeout, so no need to set ReadHeaderTimeout as well.
 	return &http.Server{
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
 		Handler:      h,
 		ReadTimeout:  time.Duration(cfg.ReadTimeout),
 		WriteTimeout: time.Duration(cfg.WriteTimeout),
 		IdleTimeout:  time.Duration(cfg.IdleTimeout),
-
 		// Suppress error logging from the server, since chproxy
 		// must handle all these errors in the code.
 		ErrorLog: log.NilLogger,