Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vault-3991 Code Scanning Alerts Changes #13667

Merged
merged 4 commits into from
Jan 14, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/13667.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:improvement
core: Fixes code scanning alerts
```
16 changes: 11 additions & 5 deletions command/base_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"errors"
"flag"
"fmt"
"math"
"os"
"sort"
"strconv"
Expand Down Expand Up @@ -246,9 +247,11 @@ func (i *intValue) Set(s string) error {
if err != nil {
return err
}

*i.target = int(v)
return nil
if v >= math.MinInt && v <= math.MaxInt {
*i.target = int(v)
return nil
}
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for int32", v)
}

func (i *intValue) Get() interface{} { return int(*i.target) }
Expand Down Expand Up @@ -374,9 +377,12 @@ func (i *uintValue) Set(s string) error {
if err != nil {
return err
}
if v > 0 && v <= math.MaxUint {
*i.target = uint(v)
return nil
}

*i.target = uint(v)
return nil
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for uint32", v)
}

func (i *uintValue) Get() interface{} { return uint(*i.target) }
Expand Down
23 changes: 12 additions & 11 deletions sdk/helper/certutil/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,9 @@ import (
const rsaMinimumSecureKeySize = 2048

// Mapping of key types to default key lengths
var defaultAlgorithmKeyBits = map[string]int {
var defaultAlgorithmKeyBits = map[string]int{
"rsa": 2048,
"ec": 256,
"ec": 256,
}

// Mapping of NIST P-Curve's key length to expected signature bits.
Expand Down Expand Up @@ -370,6 +370,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) {
func ParsePublicKeyPEM(data []byte) (interface{}, error) {
block, data := pem.Decode(data)
if block != nil {
if len(bytes.TrimSpace(data)) > 0 {
return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"}
}
var rawKey interface{}
var err error
if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
Expand All @@ -380,17 +383,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
}
}

if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok {
return rsaPublicKey, nil
}
if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok {
return ecPublicKey, nil
}
if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok {
return edPublicKey, nil
switch key := rawKey.(type) {
case *rsa.PublicKey:
return key, nil
case *ecdsa.PublicKey:
return key, nil
case ed25519.PublicKey:
return key, nil
}
}

return nil, errors.New("data does not contain any valid public keys")
}

Expand Down
4 changes: 2 additions & 2 deletions sdk/logical/translate_response.go
Original file line number Diff line number Diff line change
Expand Up @@ -134,8 +134,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) {
}
// Marshaling a response will always be a JSON object, meaning it will
// always start with '{', so we hijack this to prepend necessary values
// Make a guess at the capacity, and write the object opener
buf := bytes.NewBuffer(make([]byte, 0, len(j)*2))

var buf bytes.Buffer
buf.WriteRune('{')
for k, v := range h.Response.Data {
// Marshal each key/value individually
Expand Down
2 changes: 1 addition & 1 deletion vault/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -817,7 +817,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
}

// Set up conf to pass in plugin_name
conf := make(map[string]string, len(entry.Options)+1)
conf := make(map[string]string)
for k, v := range entry.Options {
conf[k] = v
}
Expand Down
8 changes: 6 additions & 2 deletions vault/barrier_aes_gcm.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"errors"
"fmt"
"io"
"math"
"strconv"
"strings"
"sync"
Expand Down Expand Up @@ -959,10 +960,13 @@ func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
// Allocate the output buffer with room for tern, version byte,
// nonce, GCM tag and the plaintext
capacity := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + len(plain)
if capacity < 0 {

extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
if len(plain) > math.MaxInt-extra {
return nil, ErrPlaintextTooLarge
}

capacity := len(plain) + extra
size := termSize + 1 + gcm.NonceSize()
out := make([]byte, size, capacity)

Expand Down
2 changes: 1 addition & 1 deletion vault/identity_store_oidc.go
Original file line number Diff line number Diff line change
Expand Up @@ -1700,7 +1700,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
return now, err
}

usedKeys := make([]string, 0, 2*len(namedKeys))
usedKeys := make([]string, 0)

for _, k := range namedKeys {
entry, err := s.Get(ctx, namedKeyConfigPath+k)
Expand Down
2 changes: 1 addition & 1 deletion vault/mount.go
Original file line number Diff line number Diff line change
Expand Up @@ -1374,7 +1374,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
}

// Set up conf to pass in plugin_name
conf := make(map[string]string, len(entry.Options)+1)
conf := make(map[string]string)
for k, v := range entry.Options {
conf[k] = v
}
Expand Down