security: fix security alerts of gosec

natrontech · Jun 19, 2024 · bed1906 · bed1906
1 parent cc8d0f6
commit bed1906
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 10 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -49,7 +49,7 @@ jobs:
     - if: matrix.build-mode == 'manual'
       env:
         # fix "go: download go1.22 for linux/amd64: toolchain not available" error
-        GOTOOLCHAIN: "go1.22.2"
+        GOTOOLCHAIN: "go1.22.4"
       run: |
         make go-build
 

diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
@@ -24,7 +24,7 @@ jobs:
           persist-credentials: false
       - name: Run Gosec Security Scanner
         env:
-          GOTOOLCHAIN: "go1.22.2"
+          GOTOOLCHAIN: "go1.22.4"
         uses: securego/gosec@6fbd381238e97e1d1f3358f0d6d65de78dcf9245 # v2.20.0
         with:
           args: ./...
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/natrontech/pbs-exporter
 
-go 1.22.2
+go 1.22.4
 
 require github.com/prometheus/client_golang v1.19.1
 

diff --git a/main.go b/main.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
 	"regexp"
 	"strconv"
 	"time"
@@ -30,7 +31,9 @@ var BuildTime = "unknown"
 
 var (
 	tr = &http.Transport{
-		TLSClientConfig: &tls.Config{},
+		TLSClientConfig: &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		},
 	}
 	client = &http.Client{
 		Transport: tr,
@@ -239,7 +242,7 @@ type Exporter struct {
 }
 
 func ReadSecretFile(secretfilename string) string {
-	file, err := os.Open(secretfilename)
+	file, err := os.Open(filepath.Clean(secretfilename))
 	// flag to check the file format
 	if err != nil {
 		log.Fatal(err)
@@ -327,7 +330,9 @@ func (e *Exporter) collectFromAPI(ch chan<- prometheus.Metric) error {
 	}
 
 	body, err := io.ReadAll(resp.Body)
-	resp.Body.Close()
+	if err := resp.Body.Close(); err != nil {
+		log.Printf("Error closing response body: %v", err)
+	}
 	if err != nil {
 		return err
 	}
@@ -392,7 +397,9 @@ func (e *Exporter) getNodeMetrics(ch chan<- prometheus.Metric) error {
 	}
 
 	body, err := io.ReadAll(resp.Body)
-	resp.Body.Close()
+	if err := resp.Body.Close(); err != nil {
+		log.Printf("Error closing response body: %v", err)
+	}
 	if err != nil {
 		return err
 	}
@@ -507,7 +514,9 @@ func (e *Exporter) getDatastoreMetric(datastore Datastore, ch chan<- prometheus.
 	}
 
 	body, err := io.ReadAll(resp.Body)
-	resp.Body.Close()
+	if err := resp.Body.Close(); err != nil {
+		log.Printf("Error closing response body: %v", err)
+	}
 	if err != nil {
 		return err
 	}
@@ -580,7 +589,9 @@ func (e *Exporter) getNamespaceMetric(datastore string, namespace string, ch cha
 	}
 
 	body, err := io.ReadAll(resp.Body)
-	resp.Body.Close()
+	if err := resp.Body.Close(); err != nil {
+		log.Printf("Error closing response body: %v", err)
+	}
 	if err != nil {
 		return err
 	}
@@ -792,5 +803,12 @@ func main() {
 			log.Printf("ERROR: Failed to write response: %s", err)
 		}
 	})
-	log.Fatal(http.ListenAndServe(*listenAddress, nil))
+
+	server := &http.Server{
+		Addr:         *listenAddress,
+		Handler:      nil,
+		ReadTimeout:  time.Second * 10,
+		WriteTimeout: time.Second * 10,
+	}
+	log.Fatal(server.ListenAndServe())
 }