From eed6f9b93348b979c07098243773ca3e8c0ba4e8 Mon Sep 17 00:00:00 2001
From: Ehco <zh19960202@gmail.com>
Date: Mon, 6 Dec 2021 13:53:56 +0800
Subject: [PATCH] security(cdc): fix some security problems (#3700)

---
 cdc/server.go                                   | 4 ++--
 cdc/sink/producer/kafka/config.go               | 4 ++--
 cdc/sorter/unified/file_backend.go              | 4 ++--
 cdc/sorter/unified/unified_sorter.go            | 2 +-
 cmd/kafka-consumer/main.go                      | 2 +-
 pkg/filelock/filelock.go                        | 2 +-
 tests/integration_tests/bank/case.go            | 5 ++---
 tests/integration_tests/resolve_lock/main.go    | 2 +-
 tests/utils/many_sorters_test/many_sorters.go   | 2 +-
 tests/utils/sorter_stress_test/sorter_stress.go | 4 ++--
 10 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/cdc/server.go b/cdc/server.go
index 06ace4658ff..43024f3a406 100644
--- a/cdc/server.go
+++ b/cdc/server.go
@@ -262,7 +262,7 @@ func (s *Server) initDataDir(ctx context.Context) error {
 		return errors.Trace(err)
 	}
 	conf := config.GetGlobalServerConfig()
-	err := os.MkdirAll(conf.DataDir, 0o755)
+	err := os.MkdirAll(conf.DataDir, 0o700)
 	if err != nil {
 		return errors.Trace(err)
 	}
@@ -316,7 +316,7 @@ func findBestDataDir(candidates []string) (result string, ok bool) {
 	var low uint64 = 0
 
 	checker := func(dir string) (*util.DiskInfo, error) {
-		if err := os.MkdirAll(dir, 0o755); err != nil {
+		if err := os.MkdirAll(dir, 0o700); err != nil {
 			return nil, err
 		}
 		if err := util.IsDirReadWritable(dir); err != nil {
diff --git a/cdc/sink/producer/kafka/config.go b/cdc/sink/producer/kafka/config.go
index 0a530dfb9de..578611600b7 100644
--- a/cdc/sink/producer/kafka/config.go
+++ b/cdc/sink/producer/kafka/config.go
@@ -72,7 +72,7 @@ func (c *Config) CompleteByOpts(sinkURI *url.URL, replicaConfig *config.ReplicaC
 	params := sinkURI.Query()
 	s := params.Get("partition-num")
 	if s != "" {
-		a, err := strconv.Atoi(s)
+		a, err := strconv.ParseInt(s, 10, 32)
 		if err != nil {
 			return err
 		}
@@ -84,7 +84,7 @@ func (c *Config) CompleteByOpts(sinkURI *url.URL, replicaConfig *config.ReplicaC
 
 	s = params.Get("replication-factor")
 	if s != "" {
-		a, err := strconv.Atoi(s)
+		a, err := strconv.ParseInt(s, 10, 16)
 		if err != nil {
 			return err
 		}
diff --git a/cdc/sorter/unified/file_backend.go b/cdc/sorter/unified/file_backend.go
index 24ed9959163..edaa636a48a 100644
--- a/cdc/sorter/unified/file_backend.go
+++ b/cdc/sorter/unified/file_backend.go
@@ -65,7 +65,7 @@ func newFileBackEnd(fileName string, serde encoding.SerializerDeserializer) (*fi
 }
 
 func (f *fileBackEnd) reader() (backEndReader, error) {
-	fd, err := os.OpenFile(f.fileName, os.O_RDWR, 0o644)
+	fd, err := os.OpenFile(f.fileName, os.O_RDWR, 0o600)
 	if err != nil {
 		return nil, errors.Trace(wrapIOError(err))
 	}
@@ -103,7 +103,7 @@ func (f *fileBackEnd) reader() (backEndReader, error) {
 }
 
 func (f *fileBackEnd) writer() (backEndWriter, error) {
-	fd, err := os.OpenFile(f.fileName, os.O_TRUNC|os.O_RDWR, 0o644)
+	fd, err := os.OpenFile(f.fileName, os.O_TRUNC|os.O_RDWR, 0o600)
 	if err != nil {
 		return nil, errors.Trace(wrapIOError(err))
 	}
diff --git a/cdc/sorter/unified/unified_sorter.go b/cdc/sorter/unified/unified_sorter.go
index 863f365b553..fb8363bc5ee 100644
--- a/cdc/sorter/unified/unified_sorter.go
+++ b/cdc/sorter/unified/unified_sorter.go
@@ -69,7 +69,7 @@ func CheckDir(cfSortDir string) error {
 	err := util.IsDirAndWritable(dir)
 	if err != nil {
 		if os.IsNotExist(errors.Cause(err)) {
-			err = os.MkdirAll(dir, 0o755)
+			err = os.MkdirAll(dir, 0o700)
 			if err != nil {
 				return errors.Annotate(cerror.WrapError(cerror.ErrProcessorSortDir, err), "create dir")
 			}
diff --git a/cmd/kafka-consumer/main.go b/cmd/kafka-consumer/main.go
index 2ab0af53c34..a027406589e 100644
--- a/cmd/kafka-consumer/main.go
+++ b/cmd/kafka-consumer/main.go
@@ -117,7 +117,7 @@ func init() {
 		}
 		kafkaPartitionNum = partition
 	} else {
-		c, err := strconv.Atoi(s)
+		c, err := strconv.ParseInt(s, 10, 32)
 		if err != nil {
 			log.Fatal("invalid partition-num of upstream-uri")
 		}
diff --git a/pkg/filelock/filelock.go b/pkg/filelock/filelock.go
index 9f9630b6fc4..eb7eb108e85 100644
--- a/pkg/filelock/filelock.go
+++ b/pkg/filelock/filelock.go
@@ -30,7 +30,7 @@ type FileLock struct {
 
 // NewFileLock creates a new file lock on the file described in filePath.
 func NewFileLock(filePath string) (*FileLock, error) {
-	file, err := os.OpenFile(filePath, os.O_RDWR|os.O_CREATE|syscall.O_NONBLOCK, 0o666)
+	file, err := os.OpenFile(filePath, os.O_RDWR|os.O_CREATE|syscall.O_NONBLOCK, 0o600)
 	if err != nil {
 		return nil, errors.Trace(err)
 	}
diff --git a/tests/integration_tests/bank/case.go b/tests/integration_tests/bank/case.go
index 54220be7559..aa1f918d52a 100644
--- a/tests/integration_tests/bank/case.go
+++ b/tests/integration_tests/bank/case.go
@@ -619,11 +619,10 @@ func getDownStreamSyncedEndTs(ctx context.Context, db *sql.DB, tableName string)
 }
 
 func tryGetEndTs(db *sql.DB, tableName string) (result string, ok bool) {
-	query := fmt.Sprintf("admin show ddl jobs where table_name = '%s'", tableName)
+	query := "admin show ddl jobs where table_name = ?"
 	log.Info("try get end ts", zap.String("query", query))
-
 	var line dataRow
-	row := db.QueryRow(query)
+	row := db.QueryRow(query, tableName)
 	if err := row.Scan(&line.JobID, &line.DBName, &line.TblName, &line.JobType, &line.SchemaState, &line.SchemeID,
 		&line.TblID, &line.RowCount, &line.StartTime, &line.EndTime, &line.State); err != nil {
 		if err != sql.ErrNoRows {
diff --git a/tests/integration_tests/resolve_lock/main.go b/tests/integration_tests/resolve_lock/main.go
index f02ed745270..e6f38644ca0 100644
--- a/tests/integration_tests/resolve_lock/main.go
+++ b/tests/integration_tests/resolve_lock/main.go
@@ -142,7 +142,7 @@ func getTableID(dbAddr, dbName, table string) (int64, error) {
 	dbStatusAddr := net.JoinHostPort(dbAddr, "10080")
 	url := fmt.Sprintf("http://%s/schema/%s/%s", dbStatusAddr, dbName, table)
 
-	resp, err := http.Get(url)
+	resp, err := http.Get(url) // #nosec G107
 	if err != nil {
 		return 0, errors.Trace(err)
 	}
diff --git a/tests/utils/many_sorters_test/many_sorters.go b/tests/utils/many_sorters_test/many_sorters.go
index 1772bc6f37d..f1d99e1a1ac 100644
--- a/tests/utils/many_sorters_test/many_sorters.go
+++ b/tests/utils/many_sorters_test/many_sorters.go
@@ -65,7 +65,7 @@ func main() {
 		_ = http.ListenAndServe("localhost:6060", nil)
 	}()
 
-	err = os.MkdirAll(*sorterDir, 0o755)
+	err = os.MkdirAll(*sorterDir, 0o700)
 	if err != nil {
 		log.Error("sorter_stress_test:", zap.Error(err))
 	}
diff --git a/tests/utils/sorter_stress_test/sorter_stress.go b/tests/utils/sorter_stress_test/sorter_stress.go
index 57ace85345f..62e5eb73dd9 100644
--- a/tests/utils/sorter_stress_test/sorter_stress.go
+++ b/tests/utils/sorter_stress_test/sorter_stress.go
@@ -18,7 +18,7 @@ import (
 	"flag"
 	"math/rand"
 	"net/http"
-	_ "net/http/pprof"
+	_ "net/http/pprof" // #nosec G108
 	"os"
 	"strings"
 
@@ -61,7 +61,7 @@ func main() {
 		_ = http.ListenAndServe("localhost:6060", nil)
 	}()
 
-	err = os.MkdirAll(*sorterDir, 0o755)
+	err = os.MkdirAll(*sorterDir, 0o700)
 	if err != nil {
 		log.Error("sorter_stress_test:", zap.Error(err))
 	}