Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

G307: Readonly files also a problem? #579

Closed
tehsphinx opened this issue Feb 21, 2021 · 2 comments · Fixed by #935
Closed

G307: Readonly files also a problem? #579

tehsphinx opened this issue Feb 21, 2021 · 2 comments · Fixed by #935
Labels
enhancement help wanted

Comments

@tehsphinx
Copy link

I understand that G307 is a valid concern on writable files.

But what about files that are opened ReadOnly? E.g. os.Open opens files in readonly mode. Using Write on it will error immediately with bad file descriptor. So the arguments mentioned in https://www.joeshaw.org/dont-defer-close-on-writable-files/ won't hold for readonly file descriptors.

Shouldn't gosec make that distinction as well?

Especially when using defer on Close, the open file function is usually in the same function as the Close. Then it should be possible to discern that.
@ccojocar
Copy link
Member

This is a good point. gosec should handle this case.

gregtyler added a commit to ministryofjustice/opg-sirius-user-management that referenced this issue Mar 29, 2021
@gregtyler
Ignore G307 error
d0d2995 
This flags as an error in gosec because we're not handling any errors when the file closes. But that isn't a concern for us because we're not writing to it

See also: securego/gosec#579
gregtyler added a commit to ministryofjustice/opg-sirius-user-management that referenced this issue Mar 30, 2021
@gregtyler
Create gosec.yml (#87)
88f067c 
* Create gosec.yml

* Check filepath before opening file

To ensure that we don't end up opening a file outside of the base pacts directory

* Ignore G307 error

This flags as an error in gosec because we're not handling any errors when the file closes. But that isn't a concern for us because we're not writing to it

See also: securego/gosec#579

* Wrap open in `filepath.Clean`

This removes any `..` from the filepath, so it can't break out of the pacts directory
Nicholassully pushed a commit to ministryofjustice/opg-sirius-user-management that referenced this issue Jul 26, 2021
@gregtyler @Nicholassully
Create gosec.yml (#87)
c7b352e 
* Create gosec.yml

* Check filepath before opening file

To ensure that we don't end up opening a file outside of the base pacts directory

* Ignore G307 error

This flags as an error in gosec because we're not handling any errors when the file closes. But that isn't a concern for us because we're not writing to it

See also: securego/gosec#579

* Wrap open in `filepath.Clean`

This removes any `..` from the filepath, so it can't break out of the pacts directory
@k-jun k-jun mentioned this issue Feb 6, 2022
Closed
@cwaldren-ld cwaldren-ld mentioned this issue Feb 8, 2022
Merged
@moriyoshi moriyoshi mentioned this issue Aug 21, 2022
Closed
@stevenh
Copy link

stevenh commented Feb 23, 2023
edited

Just tripped over this one with code that calls defer resp.Body.Close() which is a very common pattern.

G307: Deferring unsafe method "Close" on type "io.ReadCloser" (gosec)

For the time being I've added an exclusion for this in .golangci.yml to avoid this false positive.

issues:
  exclude:
  - Deferring unsafe method "Close" on type "io\.ReadCloser"

@ccojocar ccojocar mentioned this issue Feb 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement help wanted
Projects
None yet
Milestone
No milestone
3 participants
@stevenh @ccojocar @tehsphinx