GODRIVER-2156 Enable gosec linter. (#796)

Author: matthewdale

.golangci.yml

@@ -10,6 +10,7 @@ linters:
     # - errorlint
     - goimports
     - gosimple
+    - gosec
     - govet
     - ineffassign
     - makezero
@@ -70,3 +71,9 @@ issues:
     - path: x/mongo/driver/crypt.go
       linters:
         - unused
+    # Ignore "TLS MinVersion too low", "TLS InsecureSkipVerify set true", and "Use of weak random
+    # number generator (math/rand instead of crypto/rand)" in tests.
+    - path: (.+)_test.go
+      text: G401|G402|G404
+      linters:
+        - gosec

benchmark/harness_main.go

@@ -45,9 +45,15 @@ func DriverBenchmarkMain() int {
 
 	if outputFileName == "" {
 		fmt.Println(string(evgOutput))
-	} else if err := ioutil.WriteFile(outputFileName, evgOutput, 0644); err != nil {
-		fmt.Fprintf(os.Stderr, "problem writing file '%s': %s", outputFileName, err.Error())
-		return 1
+	} else {
+		// Ignore gosec warning "Expect WriteFile permissions to be 0600 or less" for benchmark
+		// result file.
+		/* #nosec G306 */
+		err := ioutil.WriteFile(outputFileName, evgOutput, 0644)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "problem writing file '%s': %s", outputFileName, err.Error())
+			return 1
+		}
 	}
 
 	if hasErrors {

internal/randutil/randutil.go

@@ -16,6 +16,9 @@ type LockedRand struct {
 // values. It is safe to use from multiple goroutines.
 func NewLockedRand(src rand.Source) *LockedRand {
 	return &LockedRand{
+		// Ignore gosec warning "Use of weak random number generator (math/rand instead of
+		// crypto/rand)". We intentionally use a pseudo-random number generator.
+		/* #nosec G404 */
 		r: rand.New(src),
 	}
 }

mongo/mongocryptd.go

@@ -115,6 +115,8 @@ func (mc *mcryptClient) disconnect(ctx context.Context) error {
 }
 
 func (mc *mcryptClient) spawnProcess() error {
+	// Ignore gosec warning about subprocess launched with externally-provided path variable.
+	/* #nosec G204 */
 	cmd := exec.Command(mc.path, mc.spawnArgs...)
 	cmd.Stdout = nil
 	cmd.Stderr = nil

x/mongo/driver/auth/auth_spec_test.go

@@ -52,11 +52,11 @@ func runTestsInFile(t *testing.T, dirname string, filename string) {
 	filename = filename[:len(filename)-5]
 
 	for _, testCase := range container.Tests {
-		runTest(t, filename, &testCase)
+		runTest(t, filename, testCase)
 	}
 }
 
-func runTest(t *testing.T, filename string, test *testCase) {
+func runTest(t *testing.T, filename string, test testCase) {
 	t.Run(test.Description, func(t *testing.T) {
 		opts := options.Client().ApplyURI(test.URI)
 		if test.Valid {

x/mongo/driver/auth/mongodbcr.go

@@ -8,11 +8,14 @@ package auth
 
 import (
 	"context"
-	"crypto/md5"
 	"fmt"
-
 	"io"
 
+	// Ignore gosec warning "Blocklisted import crypto/md5: weak cryptographic primitive". We need
+	// to use MD5 here to implement the MONGODB-CR specification.
+	/* #nosec G501 */
+	"crypto/md5"
+
 	"go.mongodb.org/mongo-driver/bson"
 	"go.mongodb.org/mongo-driver/x/bsonx/bsoncore"
 	"go.mongodb.org/mongo-driver/x/mongo/driver"
@@ -95,6 +98,9 @@ func (a *MongoDBCRAuthenticator) Auth(ctx context.Context, cfg *Config) error {
 }
 
 func (a *MongoDBCRAuthenticator) createKey(nonce string) string {
+	// Ignore gosec warning "Use of weak cryptographic primitive". We need to use MD5 here to
+	// implement the MONGODB-CR specification.
+	/* #nosec G401 */
 	h := md5.New()
 
 	_, _ = io.WriteString(h, nonce)

x/mongo/driver/auth/util.go

@@ -7,14 +7,21 @@
 package auth
 
 import (
-	"crypto/md5"
 	"fmt"
 	"io"
+
+	// Ignore gosec warning "Blocklisted import crypto/md5: weak cryptographic primitive". We need
+	// to use MD5 here to implement the SCRAM specification.
+	/* #nosec G501 */
+	"crypto/md5"
 )
 
 const defaultAuthDB = "admin"
 
 func mongoPasswordDigest(username, password string) string {
+	// Ignore gosec warning "Use of weak cryptographic primitive". We need to use MD5 here to
+	// implement the SCRAM specification.
+	/* #nosec G401 */
 	h := md5.New()
 	_, _ = io.WriteString(h, username)
 	_, _ = io.WriteString(h, ":mongo:")

x/mongo/driver/connstring/connstring_spec_test.go

@@ -90,7 +90,7 @@ func runTestsInFile(t *testing.T, dirname string, filename string, warningsError
 	filename = filename[:len(filename)-5]
 
 	for _, testCase := range container.Tests {
-		runTest(t, filename, &testCase, warningsError)
+		runTest(t, filename, testCase, warningsError)
 	}
 }
 
@@ -105,7 +105,7 @@ var skipKeywords = []string{
 	"serverSelectionTryOnce",
 }
 
-func runTest(t *testing.T, filename string, test *testCase, warningsError bool) {
+func runTest(t *testing.T, filename string, test testCase, warningsError bool) {
 	t.Run(test.Description, func(t *testing.T) {
 		if _, skip := skipDescriptions[test.Description]; skip {
 			t.Skip()

x/mongo/driver/crypt.go

@@ -293,7 +293,7 @@ func (c *crypt) decryptKey(ctx context.Context, kmsCtx *mongocrypt.KmsContext) e
 		addr = fmt.Sprintf("%s:%d", host, defaultKmsPort)
 	}
 
-	conn, err := tls.Dial("tcp", addr, &tls.Config{})
+	conn, err := tls.Dial("tcp", addr, &tls.Config{MinVersion: tls.VersionTLS12})
 	if err != nil {
 		return err
 	}