Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(crypto/keyring): disallow non-owner reads of keyhash #15258

Merged
merged 2 commits into from
Mar 3, 2023

Conversation

mark-rushakoff
Copy link
Member

@mark-rushakoff mark-rushakoff commented Mar 3, 2023

Description

The gosec linter has been complaining about this. On one hand, it's just a hash, but on the other hand, there is no apparent reason it needs to be readable by anyone other than the owner.

Also use the preexisting keyhashFilePath variable, instead of concatenating a forward-slash value, which may not work properly on Windows.


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title
  • added ! to the type prefix if API or client breaking change
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • followed the guidelines for building modules
  • included the necessary unit and integration tests
  • added a changelog entry to CHANGELOG.md
  • included comments for documenting Go code
  • updated the relevant documentation or specification
  • reviewed "Files changed" and left comments if necessary
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage
  • manually tested (if applicable)

The gosec linter has been complaining about this. On one hand, it's just
a hash, but on the other hand, there is no apparent reason it needs to
be readable by anyone other than the owner.

Also use the preexisting keyhashFilePath variable, instead of
concatenating a forward-slash value, which may not work properly on
Windows.
@mark-rushakoff mark-rushakoff requested a review from a team as a code owner March 3, 2023 15:35
@github-prbot github-prbot requested review from a team, julienrbrt and likhita-809 and removed request for a team March 3, 2023 15:35
Copy link
Member

@julienrbrt julienrbrt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK.

@mark-rushakoff mark-rushakoff enabled auto-merge (squash) March 3, 2023 15:53
@mark-rushakoff mark-rushakoff merged commit ac74e23 into main Mar 3, 2023
@mark-rushakoff mark-rushakoff deleted the mr/gosec-permission-warning branch March 3, 2023 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants