Initial security fixes

[Jacalz]

Description:

This is a big PR aimed at fixing a lot of potential issues that are being reported by gosec analysing. the issues fixed here are mostly related to error handling, but there are also four fixes for file permissions.

We are now down from 69 to 33 issues on develop.

Partial fix for #742

Checklist:

• [-] Tests included.
• Lint and formatter run with no errors.
• Tests all pass.

Note to anyone reviewing this:

Please look at the error handling and say if we need to return or not. There might be places where we don't need to return when an error occurs (would not be possible to exploit) or the other way around where it might be strictly necessary to actually return.

[Jacalz]

This is the reason that the app test is failing. Removing the return call seems to fix things, but I have a feeling that something might be wrong with the underlying code because it looks like we always get an error saying Fyne error: Failed to stop watching settings file2020/03/22 09:20:41 Cause: can't remove non-existent inotify watch.

[andydotxyz]

I think you are right this return is not correct. If we can't stop watching a deleted file (entirely probable) we should return to trying again.
Not sure why this is only an issue on this PR though - the others are working as expected. Are you certain nothing has changed?

[Jacalz]

I think we got a bit of a misunderstanding regarding what I meant with the comment above. I added that return statement in my PR to handle the error and the reason that it doesn't cause errors in other Pull Requests is because of that. What I tried saying was that it throws an error here even though I don't think it should and we can see it now because we check the error. 😉

[andydotxyz]

Oh, OK. How do you propose fixing this then? We can't merge with a new break ;)

[Jacalz]

I honestly have no idea that might be causing this. Do you want me to just log the error and not return or just not handle the error at all and leave it for another day?

[andydotxyz]

Let me know what you think after reading fsnotify/fsnotify#40 and fsnotify/fsnotify#238

[Jacalz]

The issue seems to be specific to Windows and Linux (would be amazed if this wasn’t the same for BSD too). I suggest that we make sure to only throw errors on Darwin platforms.

[Jacalz]

Pushed new commits with the fix. Might need testing on MacOS, but tests are not failing for me anymore at least :)

[Jacalz]

Looks like MacOS tests on travis still fails. Looks like we always get an error no matter the case. I say that we ignore this for now and get back to it when it is fixed upstream.

[andydotxyz]

Just restarting the second windows build to see what's going on. It may be that there's a legitimate failure here - can you see if it relates to the discussion above?

[Jacalz]

Just restarting the second windows build to see what's going on. It may be that there's a legitimate failure here - can you see if it relates to the discussion above?

Are you possibly commenting on the wrong PR? All the tests seem to be completing now :)

[Jacalz]

I have done testing with the cmd/fyne tool without any new issues and I have done testing the fyne_demo application and everything there seems to be working correct. I also tested it with the changes from #773 and on desktop that's no issues, but building with -tags mobile spits out this:

2020/03/27 20:00:57 Fyne error:  Preferences load error:
2020/03/27 20:00:57   Cause: mkdir /data: permission denied
2020/03/27 20:00:57   At: /home/jacob/fyne/app/preferences.go:67
2020/03/27 20:01:00 Fyne error:  Failed on saving preferences
2020/03/27 20:01:00   Cause: mkdir /data: permission denied
2020/03/27 20:01:00   At: /home/jacob/fyne/app/preferences.go:96

Will probably need to look at this more, but it might not be entirely relevant because the preferences code does not work on mobile right?

[andydotxyz]

Yeah you are probably right. If you could put that error log in a “preferences api not working on mobile” ticket we can reference that here and move on :).
I’d love to get mobile prefs into 1.2.4 in the next couple of weeks

[Jacalz]

Here you go: #779 :)