enable gosec (#1299)

* enable gosec

* gosec G404 - weak number generator

* gosec G112 - slow loris

* G306 - poor file permissions

* gosec G101 - potential secret

* gosec G115 potential overflow

* gosec G107 - potentially tainted url

* gosec G204

Author: jordanstephens

.golangci.yaml

@@ -45,7 +45,7 @@ linters:
     # - gomoddirectives
     - gomodguard
     - goprintffuncname
-    # - gosec
+    - gosec
     # - gosmopolitan
     # - govet
     - grouper
@@ -116,6 +116,10 @@ linters:
       - third_party$
       - builtin$
       - examples$
+  settings:
+    gosec:
+      config:
+        G306: "0o644"
 formatters:
   enable:
     - gofmt

src/cmd/cli/command/commands.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"math/rand"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -140,11 +139,11 @@ func Execute(ctx context.Context) error {
 		fmt.Println("For help with warnings, check our FAQ at https://s.defang.io/warnings")
 	}
 
-	if hasTty && !hideUpdate && rand.Intn(10) == 0 {
+	if hasTty && !hideUpdate && pkg.RandomIndex(10) == 0 {
 		if latest, err := GetLatestVersion(ctx); err == nil && isNewer(GetCurrentVersion(), latest) {
 			term.Debug("Latest Version:", latest, "Current Version:", GetCurrentVersion())
 			fmt.Println("A newer version of the CLI is available at https://github.com/DefangLabs/defang/releases/latest")
-			if rand.Intn(10) == 0 && !pkg.GetenvBool("DEFANG_HIDE_HINTS") {
+			if pkg.RandomIndex(10) == 0 && !pkg.GetenvBool("DEFANG_HIDE_HINTS") {
 				fmt.Println("To silence these notices, do: export DEFANG_HIDE_UPDATE=1")
 			}
 		}

src/cmd/cli/command/hint.go

@@ -2,7 +2,6 @@ package command
 
 import (
 	"fmt"
-	"math/rand"
 	"os"
 	"path/filepath"
 	"strings"
@@ -62,7 +61,7 @@ func printDefangHint(hint string, cmds ...string) {
 	for _, arg := range cmds {
 		fmt.Printf("  %s %s\n\n", executable, arg)
 	}
-	if rand.Intn(10) == 0 {
+	if pkg.RandomIndex(10) == 0 {
 		fmt.Println("To silence these hints, do: export DEFANG_HIDE_HINTS=1")
 	}
 }

src/pkg/auth/auth.go

@@ -119,7 +119,11 @@ func ServeAuthCodeFlowServer(ctx context.Context, authPort int, tenant types.Ten
 	})
 
 	// set the port and the handler to the server
-	server := &http.Server{Addr: "0.0.0.0:" + strconv.Itoa(authPort), Handler: handler}
+	server := &http.Server{
+		Addr:              "0.0.0.0:" + strconv.Itoa(authPort),
+		Handler:           handler,
+		ReadHeaderTimeout: 5 * time.Second,
+	}
 
 	// Start the server
 	err = server.ListenAndServe()

src/pkg/cli/cert.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"math/rand"
 	"net"
 	"net/http"
 	"strings"
@@ -60,7 +59,7 @@ var (
 				}
 
 				dialer := &net.Dialer{}
-				rootAddr := net.JoinHostPort(ips[rand.Intn(len(ips))].String(), port)
+				rootAddr := net.JoinHostPort(ips[pkg.RandomIndex(len(ips))].String(), port)
 				return dialer.DialContext(ctx, network, rootAddr)
 			},
 			ForceAttemptHTTP2:     true,

src/pkg/cli/client/byoc/common.go

@@ -44,6 +44,8 @@ func GetPulumiBackend(stateUrl string) (string, string, error) {
 }
 
 func runLocalCommand(ctx context.Context, dir string, env []string, cmd ...string) error {
+	// TODO - use enums to define commands instead of passing strings down from the caller
+	// #nosec G204
 	command := exec.CommandContext(ctx, cmd[0], cmd[1:]...)
 	command.Dir = dir
 	command.Env = env

src/pkg/clouds/aws/ecs/cfn/template.go

@@ -124,6 +124,7 @@ func createTemplate(stack string, containers []types.Container, overrides Templa
 		},
 	}
 
+	// #nosec G101 - not a secret
 	const _privateRepoSecret = "PrivateRepoSecret"
 	// 5. ECR pull-through cache rules
 	// TODO: Creating pull through cache rules isn't supported in the following Regions:

src/pkg/clouds/aws/route53.go

@@ -3,9 +3,9 @@ package aws
 import (
 	"context"
 	"errors"
-	"math/rand"
 	"time"
 
+	"github.com/DefangLabs/defang/src/pkg"
 	"github.com/DefangLabs/defang/src/pkg/dns"
 	"github.com/aws/aws-sdk-go-v2/service/route53"
 	"github.com/aws/aws-sdk-go-v2/service/route53/types"
@@ -61,7 +61,7 @@ func GetDelegationSet(ctx context.Context, r53 Route53API) (*types.DelegationSet
 	}
 	// Return a random delegation set, to work around the 100 zones-per-delegation-set limit,
 	// because we can't easily tell how many zones are using each delegation set.
-	return &resp.DelegationSets[rand.Intn(len(resp.DelegationSets))], nil
+	return &resp.DelegationSets[pkg.RandomIndex(len(resp.DelegationSets))], nil
 }
 
 func GetHostedZoneByName(ctx context.Context, domain string, r53 Route53API) (*types.HostedZone, error) {

src/pkg/dns/resolver.go

@@ -4,11 +4,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"math/rand"
 	"net"
 	"slices"
 	"sort"
 
+	"github.com/DefangLabs/defang/src/pkg"
 	"github.com/miekg/dns"
 )
 
@@ -66,14 +66,15 @@ func (r RootResolver) getResolver(ctx context.Context, domain string) Resolver {
 	if err != nil {
 		return DirectResolver{}
 	}
-	return DirectResolver{NSServer: ns[rand.Intn(len(ns))].Host}
+	return DirectResolver{NSServer: ns[pkg.RandomIndex(len(ns))].Host}
 }
 
 func FindNSServers(ctx context.Context, domain string) ([]*net.NS, error) {
 	nsServers := rootServers
 	retries := 3
 	for {
-		nsServer := nsServers[rand.Intn(len(nsServers))].Host
+		index := pkg.RandomIndex(len(nsServers))
+		nsServer := nsServers[index].Host
 		ns, err := ResolverAt(nsServer).LookupNS(ctx, domain)
 		sort.Slice(ns, func(i, j int) bool { return ns[i].Host < ns[j].Host })
 		if err != nil {

src/pkg/docker/run.go

@@ -18,7 +18,7 @@ func (d Docker) Run(ctx context.Context, env map[string]string, cmd ...string) (
 		AutoRemove:      true, // --rm; FIXME: this causes "No such container" if the container exits early
 		PublishAllPorts: true, // -P
 		Resources: container.Resources{
-			Memory: int64(d.memory),
+			Memory: int64(d.memory), // #nosec G115 - memory is expected to be a small number
 		},
 	}, nil, parsePlatform(d.platform), "")
 	if err != nil {