security: fix CodeQL security vulnerabilities in TLS parameters

Address 9 high-severity security issues identified by GitHub CodeQL:

1. **Integer Conversion Security**:
   - Add proper bounds checking for tls_min_version and tls_max_version
   - Validate input range (0-65535) before casting to uint16
   - Prevent integer overflow vulnerabilities

2. **TLS Security Enforcement**:
   - Enforce minimum TLS 1.2 (771) for all TLS version parameters
   - Reject insecure TLS versions (< TLS 1.2) with clear error messages
   - Prevent downgrade attacks and insecure configurations

3. **Comprehensive Validation**:
   - Applied security fixes to all client types (single, cluster, sentinel)
   - Added security validation test cases
   - Updated documentation to reflect security requirements

4. **Test Coverage**:
   - Added tests for insecure TLS version rejection
   - Added tests for integer overflow protection
   - Updated existing tests to use secure TLS versions (771, 772)

Security improvements:
- Prevents integer overflow attacks via malicious URL parameters
- Enforces secure TLS configurations by default
- Provides clear error messages for security violations
- Maintains backward compatibility for secure configurations

Fixes all CodeQL security alerts while maintaining functionality.

Author: ofekshenawa

options.go

@@ -360,7 +360,7 @@ func NewDialer(opt *Options) func(context.Context, string, string) (net.Conn, er
 //   - use "skip_verify=true" to ignore TLS certificate validation
 //   - for rediss:// URLs, additional TLS parameters are supported:
 //   - tls_cert_file and tls_key_file: paths to client certificate and key files
-//   - tls_min_version and tls_max_version: TLS version constraints (e.g., 771 for TLS 1.2)
+//   - tls_min_version and tls_max_version: TLS version constraints (minimum TLS 1.2: 771, TLS 1.3: 772)
 //   - tls_server_name: override server name for certificate validation
 //
 // Examples:
@@ -598,10 +598,26 @@ func setupConnParams(u *url.URL, o *Options) (*Options, error) {
 		}
 
 		if q.has("tls_min_version") {
-			o.TLSConfig.MinVersion = uint16(q.int("tls_min_version"))
+			minVer := q.int("tls_min_version")
+			if minVer < 0 || minVer > 65535 {
+				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
+			}
+			// Enforce minimum TLS 1.2 for security
+			if minVer > 0 && minVer < int(tls.VersionTLS12) {
+				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
+			}
+			o.TLSConfig.MinVersion = uint16(minVer)
 		}
 		if q.has("tls_max_version") {
-			o.TLSConfig.MaxVersion = uint16(q.int("tls_max_version"))
+			maxVer := q.int("tls_max_version")
+			if maxVer < 0 || maxVer > 65535 {
+				return nil, fmt.Errorf("redis: invalid tls_max_version: %d (must be between 0 and 65535)", maxVer)
+			}
+			// Ensure max version is not lower than TLS 1.2
+			if maxVer > 0 && maxVer < int(tls.VersionTLS12) {
+				return nil, fmt.Errorf("redis: tls_max_version %d is insecure (minimum allowed is TLS 1.2: %d)", maxVer, tls.VersionTLS12)
+			}
+			o.TLSConfig.MaxVersion = uint16(maxVer)
 		}
 
 		tlsServerName := q.string("tls_server_name")

options_test.go

@@ -52,8 +52,8 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 			url: "rediss://localhost:123",
 			o:   &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12}},
 		}, {
-			url: "rediss://localhost:123?tls_server_name=abc&tls_min_version=1&tls_max_version=3&skip_verify=true",
-			o:   &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "abc", MinVersion: 1, MaxVersion: 3, InsecureSkipVerify: true}},
+			url: "rediss://localhost:123?tls_server_name=abc&tls_min_version=771&tls_max_version=772&skip_verify=true",
+			o:   &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "abc", MinVersion: 771, MaxVersion: 772, InsecureSkipVerify: true}},
 		}, {
 			url: "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem&tls_key_file=./testdata/testkey.pem",
 			o:   &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, Certificates: []tls.Certificate{testCert}}},
@@ -68,6 +68,15 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 		}, {
 			url: "rediss://localhost:123?tls_key_file=./testdata/testkey.pem",
 			err: errors.New("redis: tls_cert_file and tls_key_file URL parameters must be both set or both omitted"),
+		}, {
+			url: "rediss://localhost:123?tls_min_version=1",
+			err: errors.New("redis: tls_min_version 1 is insecure (minimum allowed is TLS 1.2: 771)"),
+		}, {
+			url: "rediss://localhost:123?tls_max_version=1",
+			err: errors.New("redis: tls_max_version 1 is insecure (minimum allowed is TLS 1.2: 771)"),
+		}, {
+			url: "rediss://localhost:123?tls_min_version=70000",
+			err: errors.New("redis: invalid tls_min_version: 70000 (must be between 0 and 65535)"),
 		}, {
 			url: "rediss://localhost:123/?skip_verify=true",
 			o:   &Options{Addr: "localhost:123", TLSConfig: &tls.Config{ServerName: "localhost", MinVersion: tls.VersionTLS12, InsecureSkipVerify: true}},

osscluster.go

@@ -219,7 +219,7 @@ func (opt *ClusterOptions) init() {
 //   - use "skip_verify=true" to ignore TLS certificate validation
 //   - for rediss:// URLs, additional TLS parameters are supported:
 //   - tls_cert_file and tls_key_file: paths to client certificate and key files
-//   - tls_min_version and tls_max_version: TLS version constraints (e.g., 771 for TLS 1.2)
+//   - tls_min_version and tls_max_version: TLS version constraints (minimum TLS 1.2: 771, TLS 1.3: 772)
 //   - tls_server_name: override server name for certificate validation
 //
 // Example:
@@ -325,10 +325,26 @@ func setupClusterQueryParams(u *url.URL, o *ClusterOptions) (*ClusterOptions, er
 		}
 
 		if q.has("tls_min_version") {
-			o.TLSConfig.MinVersion = uint16(q.int("tls_min_version"))
+			minVer := q.int("tls_min_version")
+			if minVer < 0 || minVer > 65535 {
+				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
+			}
+			// Enforce minimum TLS 1.2 for security
+			if minVer > 0 && minVer < int(tls.VersionTLS12) {
+				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
+			}
+			o.TLSConfig.MinVersion = uint16(minVer)
 		}
 		if q.has("tls_max_version") {
-			o.TLSConfig.MaxVersion = uint16(q.int("tls_max_version"))
+			maxVer := q.int("tls_max_version")
+			if maxVer < 0 || maxVer > 65535 {
+				return nil, fmt.Errorf("redis: invalid tls_max_version: %d (must be between 0 and 65535)", maxVer)
+			}
+			// Ensure max version is not lower than TLS 1.2
+			if maxVer > 0 && maxVer < int(tls.VersionTLS12) {
+				return nil, fmt.Errorf("redis: tls_max_version %d is insecure (minimum allowed is TLS 1.2: %d)", maxVer, tls.VersionTLS12)
+			}
+			o.TLSConfig.MaxVersion = uint16(maxVer)
 		}
 
 		tlsServerName := q.string("tls_server_name")

osscluster_test.go

@@ -1656,8 +1656,8 @@ EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA==
 			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123", "localhost:1234", "localhost:12345"}, TLSConfig: &tls.Config{ServerName: "localhost"}},
 		}, {
 			test: "RedissTLSParams",
-			url:  "rediss://localhost:123?tls_server_name=abc&tls_min_version=1&tls_max_version=3&skip_verify=true",
-			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "abc", MinVersion: 1, MaxVersion: 3, InsecureSkipVerify: true}},
+			url:  "rediss://localhost:123?tls_server_name=abc&tls_min_version=771&tls_max_version=772&skip_verify=true",
+			o:    &redis.ClusterOptions{Addrs: []string{"localhost:123"}, TLSConfig: &tls.Config{ServerName: "abc", MinVersion: 771, MaxVersion: 772, InsecureSkipVerify: true}},
 		}, {
 			test: "RedissTLSCert",
 			url:  "rediss://localhost:123?tls_cert_file=./testdata/testcert.pem&tls_key_file=./testdata/testkey.pem",

sentinel.go

@@ -304,7 +304,7 @@ func (opt *FailoverOptions) clusterOptions() *ClusterOptions {
 //   - use "skip_verify=true" to ignore TLS certificate validation
 //   - for rediss:// URLs, additional TLS parameters are supported:
 //   - tls_cert_file and tls_key_file: paths to client certificate and key files
-//   - tls_min_version and tls_max_version: TLS version constraints (e.g., 771 for TLS 1.2)
+//   - tls_min_version and tls_max_version: TLS version constraints (minimum TLS 1.2: 771, TLS 1.3: 772)
 //   - tls_server_name: override server name for certificate validation
 //
 // Example:
@@ -435,10 +435,26 @@ func setupFailoverConnParams(u *url.URL, o *FailoverOptions) (*FailoverOptions,
 		}
 
 		if q.has("tls_min_version") {
-			o.TLSConfig.MinVersion = uint16(q.int("tls_min_version"))
+			minVer := q.int("tls_min_version")
+			if minVer < 0 || minVer > 65535 {
+				return nil, fmt.Errorf("redis: invalid tls_min_version: %d (must be between 0 and 65535)", minVer)
+			}
+			// Enforce minimum TLS 1.2 for security
+			if minVer > 0 && minVer < int(tls.VersionTLS12) {
+				return nil, fmt.Errorf("redis: tls_min_version %d is insecure (minimum allowed is TLS 1.2: %d)", minVer, tls.VersionTLS12)
+			}
+			o.TLSConfig.MinVersion = uint16(minVer)
 		}
 		if q.has("tls_max_version") {
-			o.TLSConfig.MaxVersion = uint16(q.int("tls_max_version"))
+			maxVer := q.int("tls_max_version")
+			if maxVer < 0 || maxVer > 65535 {
+				return nil, fmt.Errorf("redis: invalid tls_max_version: %d (must be between 0 and 65535)", maxVer)
+			}
+			// Ensure max version is not lower than TLS 1.2
+			if maxVer > 0 && maxVer < int(tls.VersionTLS12) {
+				return nil, fmt.Errorf("redis: tls_max_version %d is insecure (minimum allowed is TLS 1.2: %d)", maxVer, tls.VersionTLS12)
+			}
+			o.TLSConfig.MaxVersion = uint16(maxVer)
 		}
 
 		tlsServerName := q.string("tls_server_name")