gosec fixes (#1201)
* nosec linter surpression in nodekey_test.go * Mark DeterministicEcdsaKeyByIndex as Insecure * nosec - surpress warning * simplify range expression Co-authored-by: tbjump <>
This commit is contained in:
parent
a5c7898de9
commit
d87ae5a272
|
@ -101,7 +101,7 @@ func runGuardianSetTemplate(cmd *cobra.Command, args []string) {
|
||||||
// Use deterministic devnet addresses as examples in the template, such that this doubles as a test fixture.
|
// Use deterministic devnet addresses as examples in the template, such that this doubles as a test fixture.
|
||||||
guardians := make([]*nodev1.GuardianSetUpdate_Guardian, *setUpdateNumGuardians)
|
guardians := make([]*nodev1.GuardianSetUpdate_Guardian, *setUpdateNumGuardians)
|
||||||
for i := 0; i < *setUpdateNumGuardians; i++ {
|
for i := 0; i < *setUpdateNumGuardians; i++ {
|
||||||
k := devnet.DeterministicEcdsaKeyByIndex(crypto.S256(), uint64(i))
|
k := devnet.InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), uint64(i))
|
||||||
guardians[i] = &nodev1.GuardianSetUpdate_Guardian{
|
guardians[i] = &nodev1.GuardianSetUpdate_Guardian{
|
||||||
Pubkey: crypto.PubkeyToAddress(k.PublicKey).Hex(),
|
Pubkey: crypto.PubkeyToAddress(k.PublicKey).Hex(),
|
||||||
Name: fmt.Sprintf("Example validator %d", i),
|
Name: fmt.Sprintf("Example validator %d", i),
|
||||||
|
|
|
@ -5,11 +5,12 @@ import (
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/certusone/wormhole/node/pkg/common"
|
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"log"
|
"log"
|
||||||
"os"
|
"os"
|
||||||
|
|
||||||
|
"github.com/certusone/wormhole/node/pkg/common"
|
||||||
|
|
||||||
ethcrypto "github.com/ethereum/go-ethereum/crypto"
|
ethcrypto "github.com/ethereum/go-ethereum/crypto"
|
||||||
"github.com/spf13/cobra"
|
"github.com/spf13/cobra"
|
||||||
"golang.org/x/crypto/openpgp/armor" //nolint
|
"golang.org/x/crypto/openpgp/armor" //nolint
|
||||||
|
@ -145,5 +146,5 @@ func generateDevnetGuardianKey() (*ecdsa.PrivateKey, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate guardian key
|
// Generate guardian key
|
||||||
return devnet.DeterministicEcdsaKeyByIndex(ethcrypto.S256(), uint64(idx)), nil
|
return devnet.InsecureDeterministicEcdsaKeyByIndex(ethcrypto.S256(), uint64(idx)), nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -2,18 +2,19 @@ package common
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/libp2p/go-libp2p-core/crypto"
|
|
||||||
"github.com/stretchr/testify/assert"
|
|
||||||
"go.uber.org/zap"
|
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"os"
|
"os"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/libp2p/go-libp2p-core/crypto"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"go.uber.org/zap"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestGetOrCreateNodeKeyWithNewPath(t *testing.T) {
|
func TestGetOrCreateNodeKeyWithNewPath(t *testing.T) {
|
||||||
// Get a non-existing temp file path to write auto-generated privKey to
|
// Get a non-existing temp file path to write auto-generated privKey to
|
||||||
path := "/tmp/node_key_test_" + fmt.Sprint(rand.Int())
|
path := "/tmp/node_key_test_" + fmt.Sprint(rand.Int()) //#nosec G404 no CSPRNG needed here
|
||||||
defer os.Remove(path)
|
defer os.Remove(path)
|
||||||
|
|
||||||
logger, _ := zap.NewProduction()
|
logger, _ := zap.NewProduction()
|
||||||
|
|
|
@ -6,11 +6,11 @@ import (
|
||||||
mathrand "math/rand"
|
mathrand "math/rand"
|
||||||
)
|
)
|
||||||
|
|
||||||
// DeterministicEcdsaKeyByIndex generates a deterministic ecdsa.PrivateKey from a given index.
|
// InsecureDeterministicEcdsaKeyByIndex generates a deterministic ecdsa.PrivateKey from a given index.
|
||||||
func DeterministicEcdsaKeyByIndex(c elliptic.Curve, idx uint64) *ecdsa.PrivateKey {
|
func InsecureDeterministicEcdsaKeyByIndex(c elliptic.Curve, idx uint64) *ecdsa.PrivateKey {
|
||||||
// use 555 as offset to deterministically generate key 0 to match vaa-test such that
|
// use 555 as offset to deterministically generate key 0 to match vaa-test such that
|
||||||
// we generate the same key.
|
// we generate the same key.
|
||||||
r := mathrand.New(mathrand.NewSource(int64(555 + idx)))
|
r := mathrand.New(mathrand.NewSource(int64(555 + idx))) //#nosec G404 Testnet/devnet keys are not secret.
|
||||||
key, err := ecdsa.GenerateKey(c, r)
|
key, err := ecdsa.GenerateKey(c, r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
|
|
|
@ -3,9 +3,10 @@ package devnet
|
||||||
import (
|
import (
|
||||||
"encoding/hex"
|
"encoding/hex"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"testing"
|
||||||
|
|
||||||
"github.com/ethereum/go-ethereum/crypto"
|
"github.com/ethereum/go-ethereum/crypto"
|
||||||
"github.com/stretchr/testify/assert"
|
"github.com/stretchr/testify/assert"
|
||||||
"testing"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestDeterministicEcdsaKeyByIndex(t *testing.T) {
|
func TestDeterministicEcdsaKeyByIndex(t *testing.T) {
|
||||||
|
@ -23,7 +24,7 @@ func TestDeterministicEcdsaKeyByIndex(t *testing.T) {
|
||||||
|
|
||||||
for _, tc := range tests {
|
for _, tc := range tests {
|
||||||
t.Run(fmt.Sprint(tc.index), func(t *testing.T) {
|
t.Run(fmt.Sprint(tc.index), func(t *testing.T) {
|
||||||
privKey := DeterministicEcdsaKeyByIndex(crypto.S256(), tc.index)
|
privKey := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), tc.index)
|
||||||
got := crypto.FromECDSA(privKey)
|
got := crypto.FromECDSA(privKey)
|
||||||
assert.Equal(t, tc.privKeyHex, hex.EncodeToString(got))
|
assert.Equal(t, tc.privKeyHex, hex.EncodeToString(got))
|
||||||
})
|
})
|
||||||
|
|
|
@ -8,7 +8,7 @@ import (
|
||||||
|
|
||||||
// DeterministicP2PPrivKeyByIndex generates a deterministic libp2p crypto.PrivateKey from a given index.
|
// DeterministicP2PPrivKeyByIndex generates a deterministic libp2p crypto.PrivateKey from a given index.
|
||||||
func DeterministicP2PPrivKeyByIndex(idx int64) crypto.PrivKey {
|
func DeterministicP2PPrivKeyByIndex(idx int64) crypto.PrivKey {
|
||||||
r := mathrand.New(mathrand.NewSource(int64(idx)))
|
r := mathrand.New(mathrand.NewSource(int64(idx))) //#nosec G404 testnet / devnet keys are public knowledge
|
||||||
priv, _, err := crypto.GenerateKeyPairWithReader(crypto.Ed25519, -1, r)
|
priv, _, err := crypto.GenerateKeyPairWithReader(crypto.Ed25519, -1, r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
|
|
|
@ -22,7 +22,7 @@ func DevnetGuardianSetVSS(n uint) *vaa.VAA {
|
||||||
pubkeys := make([]common.Address, n)
|
pubkeys := make([]common.Address, n)
|
||||||
|
|
||||||
for n := range pubkeys {
|
for n := range pubkeys {
|
||||||
key := DeterministicEcdsaKeyByIndex(crypto.S256(), uint64(n))
|
key := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), uint64(n))
|
||||||
pubkeys[n] = crypto.PubkeyToAddress(key.PublicKey)
|
pubkeys[n] = crypto.PubkeyToAddress(key.PublicKey)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -41,7 +41,7 @@ func DevnetGuardianSetVSS(n uint) *vaa.VAA {
|
||||||
}
|
}
|
||||||
|
|
||||||
// The devnet is initialized with a single guardian (ethereum/migrations/1_initial_migration.js).
|
// The devnet is initialized with a single guardian (ethereum/migrations/1_initial_migration.js).
|
||||||
key0 := DeterministicEcdsaKeyByIndex(crypto.S256(), 0)
|
key0 := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), 0)
|
||||||
v.AddSignature(key0, 0)
|
v.AddSignature(key0, 0)
|
||||||
|
|
||||||
return v
|
return v
|
||||||
|
|
|
@ -210,7 +210,7 @@ func (n *node) runGroup(runnables map[string]Runnable) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check the requested runnable names.
|
// Check the requested runnable names.
|
||||||
for name, _ := range runnables {
|
for name := range runnables {
|
||||||
if !reNodeName.MatchString(name) {
|
if !reNodeName.MatchString(name) {
|
||||||
return fmt.Errorf("runnable name %q is invalid", name)
|
return fmt.Errorf("runnable name %q is invalid", name)
|
||||||
}
|
}
|
||||||
|
@ -237,7 +237,7 @@ func (n *node) runGroup(runnables map[string]Runnable) error {
|
||||||
|
|
||||||
// Schedule execution of group members.
|
// Schedule execution of group members.
|
||||||
go func() {
|
go func() {
|
||||||
for name, _ := range runnables {
|
for name := range runnables {
|
||||||
n.sup.pReq <- &processorRequest{
|
n.sup.pReq <- &processorRequest{
|
||||||
schedule: &processorRequestSchedule{
|
schedule: &processorRequestSchedule{
|
||||||
dn: dns[name],
|
dn: dns[name],
|
||||||
|
|
|
@ -206,7 +206,7 @@ func (s *supervisor) processDied(r *processorRequestDied) {
|
||||||
|
|
||||||
// Cancel all siblings.
|
// Cancel all siblings.
|
||||||
if n.parent != nil {
|
if n.parent != nil {
|
||||||
for name, _ := range n.parent.groupSiblings(n.name) {
|
for name := range n.parent.groupSiblings(n.name) {
|
||||||
if name == n.name {
|
if name == n.name {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
@ -262,7 +262,7 @@ func (s *supervisor) processGC() {
|
||||||
|
|
||||||
// We build a queue of nodes to visit, starting from the leaves.
|
// We build a queue of nodes to visit, starting from the leaves.
|
||||||
queue = []*node{}
|
queue = []*node{}
|
||||||
for l, _ := range leaves {
|
for l := range leaves {
|
||||||
queue = append(queue, s.nodeByDN(l))
|
queue = append(queue, s.nodeByDN(l))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -366,7 +366,7 @@ func (s *supervisor) processGC() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Reinitialize and reschedule all subtrees
|
// Reinitialize and reschedule all subtrees
|
||||||
for dn, _ := range can {
|
for dn := range can {
|
||||||
n := s.nodeByDN(dn)
|
n := s.nodeByDN(dn)
|
||||||
|
|
||||||
// Only back off when the node unexpectedly died - not when it got canceled.
|
// Only back off when the node unexpectedly died - not when it got canceled.
|
||||||
|
|
Loading…
Reference in New Issue