From 82eeb0f1399dd608a4923fff9fc194f8772b0eee Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 21 Aug 2022 14:23:03 +0100
Subject: [PATCH] Fix a few gosec warnings

---
 cmd/replds/pull.go   | 11 +++++++----
 cmd/replds/server.go | 24 ++++++++++++++----------
 cmd/replds/store.go  | 11 +++++++----
 store/memlog/log.go  |  3 ++-
 watcher/triggers.go  |  4 +++-
 watcher/watcher.go   | 10 ++++++----
 6 files changed, 39 insertions(+), 24 deletions(-)

diff --git a/cmd/replds/pull.go b/cmd/replds/pull.go
index 6529485..1fcf3f4 100644
--- a/cmd/replds/pull.go
+++ b/cmd/replds/pull.go
@@ -14,6 +14,7 @@ import (
 	"github.com/google/subcommands"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 )
 
 type pullCommand struct {
@@ -48,17 +49,19 @@ func (c *pullCommand) SetFlags(f *flag.FlagSet) {
 }
 
 func (c *pullCommand) grpcDialOptions() ([]grpc.DialOption, error) {
-	var opts []grpc.DialOption
+	var creds credentials.TransportCredentials
 	if c.sslCert != "" && c.sslKey != "" && c.sslCA != "" {
 		tlsconf, err := clientTLSConfig(c.sslCert, c.sslKey, c.sslCA)
 		if err != nil {
 			return nil, err
 		}
-		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tlsconf)))
+		creds = credentials.NewTLS(tlsconf)
 	} else {
-		opts = append(opts, grpc.WithInsecure())
+		creds = insecure.NewCredentials()
 	}
-	return opts, nil
+	return []grpc.DialOption{
+		grpc.WithTransportCredentials(creds),
+	}, nil
 }
 
 func (c *pullCommand) Execute(ctx context.Context, f *flag.FlagSet, args ...interface{}) subcommands.ExitStatus {
diff --git a/cmd/replds/server.go b/cmd/replds/server.go
index 7b0a5a8..50dd21f 100644
--- a/cmd/replds/server.go
+++ b/cmd/replds/server.go
@@ -25,6 +25,7 @@ import (
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 
 	_ "net/http/pprof"
 )
@@ -71,17 +72,19 @@ func (c *serverCommand) SetFlags(f *flag.FlagSet) {
 }
 
 func (c *serverCommand) grpcDialOptions() ([]grpc.DialOption, error) {
-	var opts []grpc.DialOption
+	var creds credentials.TransportCredentials
 	if c.clientSSLCert != "" && c.clientSSLKey != "" && c.sslCA != "" {
 		tlsconf, err := clientTLSConfig(c.clientSSLCert, c.clientSSLKey, c.sslCA)
 		if err != nil {
 			return nil, err
 		}
-		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tlsconf)))
+		creds = credentials.NewTLS(tlsconf)
 	} else {
-		opts = append(opts, grpc.WithInsecure())
+		creds = insecure.NewCredentials()
 	}
-	return opts, nil
+	return []grpc.DialOption{
+		grpc.WithTransportCredentials(creds),
+	}, nil
 }
 
 func (c *serverCommand) Execute(ctx context.Context, f *flag.FlagSet, args ...interface{}) subcommands.ExitStatus {
@@ -175,12 +178,13 @@ func (c *serverCommand) runServer(ctx context.Context, server *replds.Server) er
 		http.Handle("/metrics", promhttp.Handler())
 
 		httpSrv := &http.Server{
-			Addr:         c.httpAddr,
-			TLSConfig:    tlsconf,
-			Handler:      nil,
-			ReadTimeout:  10 * time.Second,
-			IdleTimeout:  30 * time.Second,
-			WriteTimeout: 10 * time.Second,
+			Addr:              c.httpAddr,
+			TLSConfig:         tlsconf,
+			Handler:           nil,
+			ReadTimeout:       10 * time.Second,
+			ReadHeaderTimeout: 30 * time.Second,
+			IdleTimeout:       30 * time.Second,
+			WriteTimeout:      10 * time.Second,
 		}
 
 		return runHTTPServerWithContext(ictx, httpSrv)
diff --git a/cmd/replds/store.go b/cmd/replds/store.go
index ad4253d..9d8ac80 100644
--- a/cmd/replds/store.go
+++ b/cmd/replds/store.go
@@ -14,6 +14,7 @@ import (
 	"github.com/google/subcommands"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
@@ -47,17 +48,19 @@ func (c *storeCommand) SetFlags(f *flag.FlagSet) {
 }
 
 func (c *storeCommand) grpcDialOptions() ([]grpc.DialOption, error) {
-	var opts []grpc.DialOption
+	var creds credentials.TransportCredentials
 	if c.sslCert != "" && c.sslKey != "" && c.sslCA != "" {
 		tlsconf, err := clientTLSConfig(c.sslCert, c.sslKey, c.sslCA)
 		if err != nil {
 			return nil, err
 		}
-		opts = append(opts, grpc.WithTransportCredentials(credentials.NewTLS(tlsconf)))
+		creds = credentials.NewTLS(tlsconf)
 	} else {
-		opts = append(opts, grpc.WithInsecure())
+		creds = insecure.NewCredentials()
 	}
-	return opts, nil
+	return []grpc.DialOption{
+		grpc.WithTransportCredentials(creds),
+	}, nil
 }
 
 func (c *storeCommand) Execute(ctx context.Context, f *flag.FlagSet, args ...interface{}) subcommands.ExitStatus {
diff --git a/store/memlog/log.go b/store/memlog/log.go
index c40bd5e..1741ac0 100644
--- a/store/memlog/log.go
+++ b/store/memlog/log.go
@@ -2,6 +2,7 @@ package memlog
 
 import (
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@@ -120,7 +121,7 @@ func processLog(path string, fn func(*pb.Node) error) (bool, error) {
 		node, nodeDirty, newBuf, err := logRead(ff, buf)
 		buf = newBuf
 
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			return dirty, nil
 		}
 		if err != nil {
diff --git a/watcher/triggers.go b/watcher/triggers.go
index a856d1e..ae54875 100644
--- a/watcher/triggers.go
+++ b/watcher/triggers.go
@@ -30,7 +30,9 @@ func (m scriptTriggerManager) Has(path string) bool {
 func (m scriptTriggerManager) Notify(b *common.NotifyBatch) {
 	b.Apply(func(path string, nodes []*pb.Node) {
 		trigger := m[path]
-		trigger.Run(nodes)
+		if err := trigger.Run(nodes); err != nil {
+			log.Printf("trigger error: %v", err)
+		}
 	})
 }
 
diff --git a/watcher/watcher.go b/watcher/watcher.go
index 2d7fd33..9cf5cba 100644
--- a/watcher/watcher.go
+++ b/watcher/watcher.go
@@ -2,6 +2,7 @@ package watcher
 
 import (
 	"context"
+	"errors"
 	"io"
 	"log"
 	"time"
@@ -71,7 +72,7 @@ func (w *Watcher) Run(ctx context.Context) {
 			Summary:  w.store.Summary(),
 		}
 		stream, err := stub.Watch(ctx, req)
-		if err == context.Canceled || status.Code(err) == codes.Canceled {
+		if errors.Is(err, context.Canceled) || status.Code(err) == codes.Canceled {
 			return
 		}
 		if err != nil {
@@ -81,7 +82,7 @@ func (w *Watcher) Run(ctx context.Context) {
 
 		for {
 			resp, err := stream.Recv()
-			if err == io.EOF {
+			if errors.Is(err, io.EOF) {
 				break
 			}
 			if err != nil {
@@ -92,8 +93,9 @@ func (w *Watcher) Run(ctx context.Context) {
 			// Run triggers for each batch.
 			tb := common.NewNotifyBatch(w.triggers)
 			for _, node := range resp.Nodes {
-				w.store.AddNode(node)
-				tb.Add(node)
+				if ok, err := w.store.AddNode(node); err == nil && ok {
+					tb.Add(node)
+				}
 			}
 			w.triggers.Notify(tb)
 		}
-- 
GitLab