From a0c793a7e055c6ea46e1318ed73bf233e4d3faa9 Mon Sep 17 00:00:00 2001
From: Maxence Maireaux <maxence@maireaux.fr>
Date: Tue, 21 Nov 2023 14:39:25 +0100
Subject: [PATCH] feat: Add new linter for security (#854)

---
 .golangci.yml                                 | 34 +++++++++++++++++++
 components/auth/pkg/oidc/oidc_test.go         |  3 +-
 .../apis/stack/v1beta1/configuration_types.go |  1 +
 .../apis/stack/v1beta3/configuration_types.go |  3 +-
 .../controllers/stack/stack_reconciler.go     |  3 +-
 .../internal/modules/gateway/handler.go       |  1 -
 6 files changed, 41 insertions(+), 4 deletions(-)

diff --git a/.golangci.yml b/.golangci.yml
index 73e25a38d3..5cafc8d3d0 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -7,3 +7,37 @@ linters:
     - gofmt
     - goimports
     - unused
+    - gosec
+linters-settings:
+  gosec:
+    # To select a subset of rules to run.
+    # Available rules: https://github.com/securego/gosec#available-rules
+    includes:
+      - G103 # Audit the use of unsafe block
+      - G104 # Audit errors not checked
+      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
+      - G108 # Profiling endpoint automatically exposed on /debug/pprof
+      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
+      - G110 # Potential DoS vulnerability via decompression bomb
+      - G111 # Potential directory traversal
+      - G112 # Potential slowloris attack
+#      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
+      - G201 # SQL query construction using format string
+      - G202 # SQL query construction using string concatenation
+      - G203 # Use of unescaped data in HTML templates
+      - G204 # Audit use of command execution
+      - G301 # Poor file permissions used when creating a directory
+      - G302 # Poor file permissions used with chmod
+      - G303 # Creating tempfile using a predictable path
+      - G304 # File path provided as taint input
+      - G305 # File traversal when extracting zip/tar archive
+      - G306 # Poor file permissions used when writing to a new file
+      - G307 # Poor file permissions used when creating a file with os.Create
+      - G401 # Detect the usage of DES, RC4, MD5 or SHA1
+      - G403 # Ensure minimum RSA key length of 2048 bits
+      - G501 # Import blocklist: crypto/md5
+      - G502 # Import blocklist: crypto/des
+      - G503 # Import blocklist: crypto/rc4
+      - G504 # Import blocklist: net/http/cgi
+      - G505 # Import blocklist: crypto/sha1
+      - G602 # Slice access out of bounds
\ No newline at end of file
diff --git a/components/auth/pkg/oidc/oidc_test.go b/components/auth/pkg/oidc/oidc_test.go
index 4c3b3a7e78..52cd74523f 100644
--- a/components/auth/pkg/oidc/oidc_test.go
+++ b/components/auth/pkg/oidc/oidc_test.go
@@ -110,7 +110,8 @@ func withServer(t *testing.T, fn func(m *mockoidc.MockOIDC, storage *sqlstorage.
 
 	// Create our http server for our oidc provider
 	providerHttpServer := &http.Server{
-		Handler: router,
+		Handler:           router,
+		ReadHeaderTimeout: 5 * time.Second,
 	}
 	go func() {
 		err := providerHttpServer.Serve(l)
diff --git a/components/operator/apis/stack/v1beta1/configuration_types.go b/components/operator/apis/stack/v1beta1/configuration_types.go
index 5e6504b2eb..a4244b4798 100644
--- a/components/operator/apis/stack/v1beta1/configuration_types.go
+++ b/components/operator/apis/stack/v1beta1/configuration_types.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"encoding/json"
+
 	"github.com/formancehq/operator/apis/stack/v1beta3"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/conversion"
diff --git a/components/operator/apis/stack/v1beta3/configuration_types.go b/components/operator/apis/stack/v1beta3/configuration_types.go
index 5be9edbc5f..84dc0ef3b6 100644
--- a/components/operator/apis/stack/v1beta3/configuration_types.go
+++ b/components/operator/apis/stack/v1beta3/configuration_types.go
@@ -18,10 +18,11 @@ package v1beta3
 
 import (
 	"fmt"
-	"github.com/iancoleman/strcase"
 	"reflect"
 	"strings"
 
+	"github.com/iancoleman/strcase"
+
 	"github.com/pkg/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
diff --git a/components/operator/internal/controllers/stack/stack_reconciler.go b/components/operator/internal/controllers/stack/stack_reconciler.go
index 2c15609724..87e021e61b 100644
--- a/components/operator/internal/controllers/stack/stack_reconciler.go
+++ b/components/operator/internal/controllers/stack/stack_reconciler.go
@@ -3,10 +3,11 @@ package stack
 import (
 	"context"
 	"fmt"
+	"time"
+
 	appsv1 "k8s.io/api/apps/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	"sigs.k8s.io/controller-runtime/pkg/source"
-	"time"
 
 	"github.com/formancehq/operator/internal/collectionutils"
 	"github.com/formancehq/operator/internal/controllerutils"
diff --git a/components/operator/internal/modules/gateway/handler.go b/components/operator/internal/modules/gateway/handler.go
index 14e3fde2a4..3b6d916478 100644
--- a/components/operator/internal/modules/gateway/handler.go
+++ b/components/operator/internal/modules/gateway/handler.go
@@ -234,7 +234,6 @@ const caddyfile = `(cors) {
 		read_key_set_max_retries 10
 	}
 }
-
 {{- if .EnableAudit }}
 (audit) {
 	audit {