gosec fixes (#1201)
* nosec linter surpression in nodekey_test.go * Mark DeterministicEcdsaKeyByIndex as Insecure * nosec - surpress warning * simplify range expression Co-authored-by: tbjump <>
This commit is contained in:
parent
a5c7898de9
commit
d87ae5a272
|
@ -101,7 +101,7 @@ func runGuardianSetTemplate(cmd *cobra.Command, args []string) {
|
|||
// Use deterministic devnet addresses as examples in the template, such that this doubles as a test fixture.
|
||||
guardians := make([]*nodev1.GuardianSetUpdate_Guardian, *setUpdateNumGuardians)
|
||||
for i := 0; i < *setUpdateNumGuardians; i++ {
|
||||
k := devnet.DeterministicEcdsaKeyByIndex(crypto.S256(), uint64(i))
|
||||
k := devnet.InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), uint64(i))
|
||||
guardians[i] = &nodev1.GuardianSetUpdate_Guardian{
|
||||
Pubkey: crypto.PubkeyToAddress(k.PublicKey).Hex(),
|
||||
Name: fmt.Sprintf("Example validator %d", i),
|
||||
|
|
|
@ -5,11 +5,12 @@ import (
|
|||
"crypto/rand"
|
||||
"errors"
|
||||
"fmt"
|
||||
"github.com/certusone/wormhole/node/pkg/common"
|
||||
"io/ioutil"
|
||||
"log"
|
||||
"os"
|
||||
|
||||
"github.com/certusone/wormhole/node/pkg/common"
|
||||
|
||||
ethcrypto "github.com/ethereum/go-ethereum/crypto"
|
||||
"github.com/spf13/cobra"
|
||||
"golang.org/x/crypto/openpgp/armor" //nolint
|
||||
|
@ -145,5 +146,5 @@ func generateDevnetGuardianKey() (*ecdsa.PrivateKey, error) {
|
|||
}
|
||||
|
||||
// Generate guardian key
|
||||
return devnet.DeterministicEcdsaKeyByIndex(ethcrypto.S256(), uint64(idx)), nil
|
||||
return devnet.InsecureDeterministicEcdsaKeyByIndex(ethcrypto.S256(), uint64(idx)), nil
|
||||
}
|
||||
|
|
|
@ -2,18 +2,19 @@ package common
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/libp2p/go-libp2p-core/crypto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/zap"
|
||||
"io/ioutil"
|
||||
"math/rand"
|
||||
"os"
|
||||
"testing"
|
||||
|
||||
"github.com/libp2p/go-libp2p-core/crypto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
func TestGetOrCreateNodeKeyWithNewPath(t *testing.T) {
|
||||
// Get a non-existing temp file path to write auto-generated privKey to
|
||||
path := "/tmp/node_key_test_" + fmt.Sprint(rand.Int())
|
||||
path := "/tmp/node_key_test_" + fmt.Sprint(rand.Int()) //#nosec G404 no CSPRNG needed here
|
||||
defer os.Remove(path)
|
||||
|
||||
logger, _ := zap.NewProduction()
|
||||
|
|
|
@ -6,11 +6,11 @@ import (
|
|||
mathrand "math/rand"
|
||||
)
|
||||
|
||||
// DeterministicEcdsaKeyByIndex generates a deterministic ecdsa.PrivateKey from a given index.
|
||||
func DeterministicEcdsaKeyByIndex(c elliptic.Curve, idx uint64) *ecdsa.PrivateKey {
|
||||
// InsecureDeterministicEcdsaKeyByIndex generates a deterministic ecdsa.PrivateKey from a given index.
|
||||
func InsecureDeterministicEcdsaKeyByIndex(c elliptic.Curve, idx uint64) *ecdsa.PrivateKey {
|
||||
// use 555 as offset to deterministically generate key 0 to match vaa-test such that
|
||||
// we generate the same key.
|
||||
r := mathrand.New(mathrand.NewSource(int64(555 + idx)))
|
||||
r := mathrand.New(mathrand.NewSource(int64(555 + idx))) //#nosec G404 Testnet/devnet keys are not secret.
|
||||
key, err := ecdsa.GenerateKey(c, r)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
|
|
|
@ -3,9 +3,10 @@ package devnet
|
|||
import (
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"testing"
|
||||
|
||||
"github.com/ethereum/go-ethereum/crypto"
|
||||
"github.com/stretchr/testify/assert"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func TestDeterministicEcdsaKeyByIndex(t *testing.T) {
|
||||
|
@ -23,7 +24,7 @@ func TestDeterministicEcdsaKeyByIndex(t *testing.T) {
|
|||
|
||||
for _, tc := range tests {
|
||||
t.Run(fmt.Sprint(tc.index), func(t *testing.T) {
|
||||
privKey := DeterministicEcdsaKeyByIndex(crypto.S256(), tc.index)
|
||||
privKey := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), tc.index)
|
||||
got := crypto.FromECDSA(privKey)
|
||||
assert.Equal(t, tc.privKeyHex, hex.EncodeToString(got))
|
||||
})
|
||||
|
|
|
@ -8,7 +8,7 @@ import (
|
|||
|
||||
// DeterministicP2PPrivKeyByIndex generates a deterministic libp2p crypto.PrivateKey from a given index.
|
||||
func DeterministicP2PPrivKeyByIndex(idx int64) crypto.PrivKey {
|
||||
r := mathrand.New(mathrand.NewSource(int64(idx)))
|
||||
r := mathrand.New(mathrand.NewSource(int64(idx))) //#nosec G404 testnet / devnet keys are public knowledge
|
||||
priv, _, err := crypto.GenerateKeyPairWithReader(crypto.Ed25519, -1, r)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
|
|
|
@ -22,7 +22,7 @@ func DevnetGuardianSetVSS(n uint) *vaa.VAA {
|
|||
pubkeys := make([]common.Address, n)
|
||||
|
||||
for n := range pubkeys {
|
||||
key := DeterministicEcdsaKeyByIndex(crypto.S256(), uint64(n))
|
||||
key := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), uint64(n))
|
||||
pubkeys[n] = crypto.PubkeyToAddress(key.PublicKey)
|
||||
}
|
||||
|
||||
|
@ -41,7 +41,7 @@ func DevnetGuardianSetVSS(n uint) *vaa.VAA {
|
|||
}
|
||||
|
||||
// The devnet is initialized with a single guardian (ethereum/migrations/1_initial_migration.js).
|
||||
key0 := DeterministicEcdsaKeyByIndex(crypto.S256(), 0)
|
||||
key0 := InsecureDeterministicEcdsaKeyByIndex(crypto.S256(), 0)
|
||||
v.AddSignature(key0, 0)
|
||||
|
||||
return v
|
||||
|
|
|
@ -210,7 +210,7 @@ func (n *node) runGroup(runnables map[string]Runnable) error {
|
|||
}
|
||||
|
||||
// Check the requested runnable names.
|
||||
for name, _ := range runnables {
|
||||
for name := range runnables {
|
||||
if !reNodeName.MatchString(name) {
|
||||
return fmt.Errorf("runnable name %q is invalid", name)
|
||||
}
|
||||
|
@ -237,7 +237,7 @@ func (n *node) runGroup(runnables map[string]Runnable) error {
|
|||
|
||||
// Schedule execution of group members.
|
||||
go func() {
|
||||
for name, _ := range runnables {
|
||||
for name := range runnables {
|
||||
n.sup.pReq <- &processorRequest{
|
||||
schedule: &processorRequestSchedule{
|
||||
dn: dns[name],
|
||||
|
|
|
@ -206,7 +206,7 @@ func (s *supervisor) processDied(r *processorRequestDied) {
|
|||
|
||||
// Cancel all siblings.
|
||||
if n.parent != nil {
|
||||
for name, _ := range n.parent.groupSiblings(n.name) {
|
||||
for name := range n.parent.groupSiblings(n.name) {
|
||||
if name == n.name {
|
||||
continue
|
||||
}
|
||||
|
@ -262,7 +262,7 @@ func (s *supervisor) processGC() {
|
|||
|
||||
// We build a queue of nodes to visit, starting from the leaves.
|
||||
queue = []*node{}
|
||||
for l, _ := range leaves {
|
||||
for l := range leaves {
|
||||
queue = append(queue, s.nodeByDN(l))
|
||||
}
|
||||
|
||||
|
@ -366,7 +366,7 @@ func (s *supervisor) processGC() {
|
|||
}
|
||||
|
||||
// Reinitialize and reschedule all subtrees
|
||||
for dn, _ := range can {
|
||||
for dn := range can {
|
||||
n := s.nodeByDN(dn)
|
||||
|
||||
// Only back off when the node unexpectedly died - not when it got canceled.
|
||||
|
|
Loading…
Reference in New Issue