Backport of Vault-3991 Code Scanning Alerts Changes into release/1.8.x (

#13671) * cherry-pick changes from main * fixing maxint * fixing compare * fixing consts Co-authored-by: akshya96 <87045294+akshya96@users.noreply.github.com> Co-authored-by: akshya96 <araghavan@hashicorp.com>
hashicorp · Jan 21, 2022 · ea8a44e · ea8a44e
1 parent cab8647
commit ea8a44e
Show file tree

Hide file tree

Showing 9 changed files with 40 additions and 21 deletions.
diff --git a/changelog/13667.txt b/changelog/13667.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+core: Fixes code scanning alerts
+```
diff --git a/command/base_flags.go b/command/base_flags.go
@@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/posener/complete"
 )
 
@@ -246,9 +247,11 @@ func (i *intValue) Set(s string) error {
 	if err != nil {
 		return err
 	}
-
-	*i.target = int(v)
-	return nil
+	if v >= int64(consts.MinInt) && v <= int64(consts.MaxInt) {
+		*i.target = int(v)
+		return nil
+	}
+	return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for int32", v)
 }
 
 func (i *intValue) Get() interface{} { return int(*i.target) }
@@ -374,9 +377,12 @@ func (i *uintValue) Set(s string) error {
 	if err != nil {
 		return err
 	}
+	if v >= 0 && v <= uint64(consts.MaxUint) {
+		*i.target = uint(v)
+		return nil
+	}
 
-	*i.target = uint(v)
-	return nil
+	return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for uint32", v)
 }
 
 func (i *uintValue) Get() interface{} { return uint(*i.target) }

diff --git a/sdk/helper/certutil/helpers.go b/sdk/helper/certutil/helpers.go
@@ -319,6 +319,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) {
 func ParsePublicKeyPEM(data []byte) (interface{}, error) {
 	block, data := pem.Decode(data)
 	if block != nil {
+		if len(bytes.TrimSpace(data)) > 0 {
+			return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"}
+		}
 		var rawKey interface{}
 		var err error
 		if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
@@ -329,17 +332,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
 			}
 		}
 
-		if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok {
-			return rsaPublicKey, nil
-		}
-		if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok {
-			return ecPublicKey, nil
-		}
-		if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok {
-			return edPublicKey, nil
+		switch key := rawKey.(type) {
+		case *rsa.PublicKey:
+			return key, nil
+		case *ecdsa.PublicKey:
+			return key, nil
+		case ed25519.PublicKey:
+			return key, nil
 		}
 	}
-
 	return nil, errors.New("data does not contain any valid public keys")
 }
 

diff --git a/sdk/helper/consts/consts.go b/sdk/helper/consts/consts.go
@@ -32,4 +32,9 @@ const (
 	// ReplicationResolverALPN is the negotiated protocol used for
 	// resolving replicaiton addresses
 	ReplicationResolverALPN = "replication_resolver_v1"
+
+	//MaxUint, MaxInt and MinInt are not available in math package before go 1.7
+	MaxUint = ^uint(0)
+	MaxInt  = int(^uint(0) >> 1)
+	MinInt  = -MaxInt - 1
 )
diff --git a/sdk/logical/translate_response.go b/sdk/logical/translate_response.go
@@ -134,8 +134,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) {
 	}
 	// Marshaling a response will always be a JSON object, meaning it will
 	// always start with '{', so we hijack this to prepend necessary values
-	// Make a guess at the capacity, and write the object opener
-	buf := bytes.NewBuffer(make([]byte, 0, len(j)*2))
+
+	var buf bytes.Buffer
 	buf.WriteRune('{')
 	for k, v := range h.Response.Data {
 		// Marshal each key/value individually

diff --git a/vault/auth.go b/vault/auth.go
@@ -817,7 +817,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
 	}
 
 	// Set up conf to pass in plugin_name
-	conf := make(map[string]string, len(entry.Options)+1)
+	conf := make(map[string]string)
 	for k, v := range entry.Options {
 		conf[k] = v
 	}

diff --git a/vault/barrier_aes_gcm.go b/vault/barrier_aes_gcm.go
@@ -16,6 +16,7 @@ import (
 	"time"
 
 	"github.com/armon/go-metrics"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -959,10 +960,13 @@ func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
 func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
 	// Allocate the output buffer with room for tern, version byte,
 	// nonce, GCM tag and the plaintext
-	capacity := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + len(plain)
-	if capacity < 0 {
+
+	extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
+	if len(plain) > consts.MaxInt-extra {
 		return nil, ErrPlaintextTooLarge
 	}
+
+	capacity := len(plain) + extra
 	size := termSize + 1 + gcm.NonceSize()
 	out := make([]byte, size, capacity)
 

diff --git a/vault/identity_store_oidc.go b/vault/identity_store_oidc.go
@@ -1501,7 +1501,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
 		return now, err
 	}
 
-	usedKeys := make([]string, 0, 2*len(namedKeys))
+	usedKeys := make([]string, 0)
 
 	for _, k := range namedKeys {
 		entry, err := s.Get(ctx, namedKeyConfigPath+k)

diff --git a/vault/mount.go b/vault/mount.go
@@ -1365,7 +1365,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
 	}
 
 	// Set up conf to pass in plugin_name
-	conf := make(map[string]string, len(entry.Options)+1)
+	conf := make(map[string]string)
 	for k, v := range entry.Options {
 		conf[k] = v
 	}