supabase / auth / 10779572699
69%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 128
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 57.92%. Remained the same
10779572699

push

github

web-flow 
chore: fix gosec warnings via ignore annotations in comments (#1770)

## What kind of change does this PR introduce?

Fix to gosec warnings so builds can complete.

## What is the current behavior?

The gosec checks are halting builds.

## What is the new behavior?

The gosec checks are passing.

## Additional context

I didn't see any warnings that led to real vulnerabilities / security
issues.

That said long term it may be worth adding some defensive bounds checks
for a couple of the integer overflow warnings, just to future proof us
age the code ages. Given that we allow supabase users to write to the
database, not sure we can guarantee a user doesn't provide a
bring-your-own-hash singup flow or something like that. Unbound
allocations are a prime target for DoS attacks.

For the nonce issues, neither is was real issue. Open is not "fixable,
see gosec issue [#1211](https://github.com/securego/gosec/issues/1211).
For Seal I tried:
```
	nonce := make([]byte, cipher.NonceSize())
	if _, err := rand.Read(nonce); err != nil {
		panic(err)
	}

	es := EncryptedString{
		KeyID:     keyID,
		Algorithm: "aes-gcm-hkdf",
		Nonce:     nonce,
	}
	es.Data = cipher.Seal(nil, es.Nonce, data, nil)
```

But it then considers es.Nonce to be stored / hardcoded. The only fix I
could get to work was:
```Go
	nonce := make([]byte, cipher.NonceSize())
	if _, err := rand.Read(nonce); err != nil {
		panic(err)
	}

	es := EncryptedString{
		KeyID:     keyID,
		Algorithm: "aes-gcm-hkdf",
		Nonce:     nonce,
		Data:      cipher.Seal(nil, nonce, data, nil),
	}
```

It seems the gosec tool requires using `rand.Read`. I changed the
`cipher.NonceSize()` back to `12` (just in case it a numerical constant
for a reason) and it started failing again. I think it also checks that
cipher.NonceSize() is used as well, just doesn't report that. I
ultimately decided to ignore this so there was no changes to crypto
functions given th... (continued)

11 of 11 new or added lines in 6 files covered. (100.0%)

9138 of 15777 relevant lines covered (57.92%)

55.64 hits per line

Jobs
ID Job ID Ran Files Coverage
1 10779572699.1 128
57.92
 GitHub Action Run
Source Files on build 10779572699