mirror of
https://github.com/minio/minio.git
synced 2025-01-11 23:13:23 -05:00
update rulesguard with new rules (#10392)
Co-authored-by: Nitish Tiwari <nitish@minio.io> Co-authored-by: Praveen raj Mani <praveen@minio.io>
This commit is contained in:
parent
3e1fb17b70
commit
2acb530ccd
@ -1085,7 +1085,7 @@ func (a adminAPIHandlers) ConsoleLogHandler(w http.ResponseWriter, r *http.Reque
|
|||||||
// Avoid reusing tcp connection if read timeout is hit
|
// Avoid reusing tcp connection if read timeout is hit
|
||||||
// This is needed to make r.Context().Done() work as
|
// This is needed to make r.Context().Done() work as
|
||||||
// expected in case of read timeout
|
// expected in case of read timeout
|
||||||
w.Header().Add("Connection", "close")
|
w.Header().Set("Connection", "close")
|
||||||
|
|
||||||
setEventStreamHeaders(w)
|
setEventStreamHeaders(w)
|
||||||
|
|
||||||
|
@ -804,7 +804,7 @@ func (api objectAPIHandlers) PostPolicyBucketHandler(w http.ResponseWriter, r *h
|
|||||||
if _, err = globalBucketSSEConfigSys.Get(bucket); err == nil || globalAutoEncryption {
|
if _, err = globalBucketSSEConfigSys.Get(bucket); err == nil || globalAutoEncryption {
|
||||||
// This request header needs to be set prior to setting ObjectOptions
|
// This request header needs to be set prior to setting ObjectOptions
|
||||||
if !crypto.SSEC.IsRequested(r.Header) {
|
if !crypto.SSEC.IsRequested(r.Header) {
|
||||||
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
r.Header.Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -155,12 +155,12 @@ var isHTTPHeaderSizeTooLargeTests = []struct {
|
|||||||
func generateHeader(size, usersize int) http.Header {
|
func generateHeader(size, usersize int) http.Header {
|
||||||
header := http.Header{}
|
header := http.Header{}
|
||||||
for i := 0; i < size; i++ {
|
for i := 0; i < size; i++ {
|
||||||
header.Add(strconv.Itoa(i), "")
|
header.Set(strconv.Itoa(i), "")
|
||||||
}
|
}
|
||||||
userlength := 0
|
userlength := 0
|
||||||
for i := 0; userlength < usersize; i++ {
|
for i := 0; userlength < usersize; i++ {
|
||||||
userlength += len(userMetadataKeyPrefixes[0] + strconv.Itoa(i))
|
userlength += len(userMetadataKeyPrefixes[0] + strconv.Itoa(i))
|
||||||
header.Add(userMetadataKeyPrefixes[0]+strconv.Itoa(i), "")
|
header.Set(userMetadataKeyPrefixes[0]+strconv.Itoa(i), "")
|
||||||
}
|
}
|
||||||
return header
|
return header
|
||||||
}
|
}
|
||||||
|
@ -104,9 +104,8 @@ func Trace(f http.HandlerFunc, logBody bool, w http.ResponseWriter, r *http.Requ
|
|||||||
reqHeaders.Set("Host", r.Host)
|
reqHeaders.Set("Host", r.Host)
|
||||||
if len(r.TransferEncoding) == 0 {
|
if len(r.TransferEncoding) == 0 {
|
||||||
reqHeaders.Set("Content-Length", strconv.Itoa(int(r.ContentLength)))
|
reqHeaders.Set("Content-Length", strconv.Itoa(int(r.ContentLength)))
|
||||||
}
|
} else {
|
||||||
for _, enc := range r.TransferEncoding {
|
reqHeaders.Set("Transfer-Encoding", strings.Join(r.TransferEncoding, ","))
|
||||||
reqHeaders.Add("Transfer-Encoding", enc)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
var reqBodyRecorder *recordRequest
|
var reqBodyRecorder *recordRequest
|
||||||
|
@ -881,7 +881,7 @@ func (api objectAPIHandlers) CopyObjectHandler(w http.ResponseWriter, r *http.Re
|
|||||||
_, err = globalBucketSSEConfigSys.Get(dstBucket)
|
_, err = globalBucketSSEConfigSys.Get(dstBucket)
|
||||||
// This request header needs to be set prior to setting ObjectOptions
|
// This request header needs to be set prior to setting ObjectOptions
|
||||||
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) {
|
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) {
|
||||||
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
r.Header.Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
||||||
}
|
}
|
||||||
|
|
||||||
var srcOpts, dstOpts ObjectOptions
|
var srcOpts, dstOpts ObjectOptions
|
||||||
@ -1449,7 +1449,7 @@ func (api objectAPIHandlers) PutObjectHandler(w http.ResponseWriter, r *http.Req
|
|||||||
_, err = globalBucketSSEConfigSys.Get(bucket)
|
_, err = globalBucketSSEConfigSys.Get(bucket)
|
||||||
// This request header needs to be set prior to setting ObjectOptions
|
// This request header needs to be set prior to setting ObjectOptions
|
||||||
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
|
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
|
||||||
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
r.Header.Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
||||||
}
|
}
|
||||||
|
|
||||||
actualSize := size
|
actualSize := size
|
||||||
@ -1648,7 +1648,7 @@ func (api objectAPIHandlers) NewMultipartUploadHandler(w http.ResponseWriter, r
|
|||||||
_, err = globalBucketSSEConfigSys.Get(bucket)
|
_, err = globalBucketSSEConfigSys.Get(bucket)
|
||||||
// This request header needs to be set prior to setting ObjectOptions
|
// This request header needs to be set prior to setting ObjectOptions
|
||||||
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
|
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) && !crypto.S3KMS.IsRequested(r.Header) {
|
||||||
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
r.Header.Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate storage class metadata if present
|
// Validate storage class metadata if present
|
||||||
|
@ -529,7 +529,7 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a
|
|||||||
t.Fatalf("Test %d: Failed to create HTTP request for Get Object: <ERROR> %v", i+1, err)
|
t.Fatalf("Test %d: Failed to create HTTP request for Get Object: <ERROR> %v", i+1, err)
|
||||||
}
|
}
|
||||||
if testCase.byteRange != "" {
|
if testCase.byteRange != "" {
|
||||||
req.Header.Add("Range", testCase.byteRange)
|
req.Header.Set("Range", testCase.byteRange)
|
||||||
}
|
}
|
||||||
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
||||||
// Call the ServeHTTP to execute the handler,`func (api objectAPIHandlers) GetObjectHandler` handles the request.
|
// Call the ServeHTTP to execute the handler,`func (api objectAPIHandlers) GetObjectHandler` handles the request.
|
||||||
@ -577,7 +577,7 @@ func testAPIGetObjectHandler(obj ObjectLayer, instanceType, bucketName string, a
|
|||||||
}
|
}
|
||||||
|
|
||||||
if testCase.byteRange != "" {
|
if testCase.byteRange != "" {
|
||||||
reqV2.Header.Add("Range", testCase.byteRange)
|
reqV2.Header.Set("Range", testCase.byteRange)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
// Since `apiRouter` satisfies `http.Handler` it has a ServeHTTP to execute the logic of the handler.
|
||||||
@ -741,7 +741,7 @@ func testAPIGetObjectWithMPHandler(obj ObjectLayer, instanceType, bucketName str
|
|||||||
}
|
}
|
||||||
|
|
||||||
if byteRange != "" {
|
if byteRange != "" {
|
||||||
req.Header.Add("Range", byteRange)
|
req.Header.Set("Range", byteRange)
|
||||||
}
|
}
|
||||||
|
|
||||||
apiRouter.ServeHTTP(rec, req)
|
apiRouter.ServeHTTP(rec, req)
|
||||||
|
@ -191,8 +191,8 @@ func (s *TestSuiteCommon) TestBucketSQSNotificationWebHook(c *check) {
|
|||||||
|
|
||||||
func (s *TestSuiteCommon) TestCors(c *check) {
|
func (s *TestSuiteCommon) TestCors(c *check) {
|
||||||
expectedMap := http.Header{}
|
expectedMap := http.Header{}
|
||||||
expectedMap.Add("Access-Control-Allow-Credentials", "true")
|
expectedMap.Set("Access-Control-Allow-Credentials", "true")
|
||||||
expectedMap.Add("Access-Control-Allow-Origin", "http://foobar.com")
|
expectedMap.Set("Access-Control-Allow-Origin", "http://foobar.com")
|
||||||
expectedMap["Access-Control-Expose-Headers"] = []string{
|
expectedMap["Access-Control-Expose-Headers"] = []string{
|
||||||
"Date",
|
"Date",
|
||||||
"Etag",
|
"Etag",
|
||||||
@ -214,10 +214,10 @@ func (s *TestSuiteCommon) TestCors(c *check) {
|
|||||||
"X-Amz*",
|
"X-Amz*",
|
||||||
"*",
|
"*",
|
||||||
}
|
}
|
||||||
expectedMap.Add("Vary", "Origin")
|
expectedMap.Set("Vary", "Origin")
|
||||||
|
|
||||||
req, _ := http.NewRequest(http.MethodOptions, s.endPoint, nil)
|
req, _ := http.NewRequest(http.MethodOptions, s.endPoint, nil)
|
||||||
req.Header.Add("Origin", "http://foobar.com")
|
req.Header.Set("Origin", "http://foobar.com")
|
||||||
res, err := s.client.Do(req)
|
res, err := s.client.Do(req)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.Fatal(err)
|
c.Fatal(err)
|
||||||
@ -1561,7 +1561,7 @@ func (s *TestSuiteCommon) TestPartialContent(c *check) {
|
|||||||
request, err = newTestSignedRequest(http.MethodGet, getGetObjectURL(s.endPoint, bucketName, "bar"),
|
request, err = newTestSignedRequest(http.MethodGet, getGetObjectURL(s.endPoint, bucketName, "bar"),
|
||||||
0, nil, s.accessKey, s.secretKey, s.signer)
|
0, nil, s.accessKey, s.secretKey, s.signer)
|
||||||
c.Assert(err, nil)
|
c.Assert(err, nil)
|
||||||
request.Header.Add("Range", "bytes=6-7")
|
request.Header.Set("Range", "bytes=6-7")
|
||||||
|
|
||||||
response, err = s.client.Do(request)
|
response, err = s.client.Do(request)
|
||||||
c.Assert(err, nil)
|
c.Assert(err, nil)
|
||||||
@ -1906,7 +1906,7 @@ func (s *TestSuiteCommon) TestGetPartialObjectMisAligned(c *check) {
|
|||||||
0, nil, s.accessKey, s.secretKey, s.signer)
|
0, nil, s.accessKey, s.secretKey, s.signer)
|
||||||
c.Assert(err, nil)
|
c.Assert(err, nil)
|
||||||
// Get partial content based on the byte range set.
|
// Get partial content based on the byte range set.
|
||||||
request.Header.Add("Range", "bytes="+t.byteRange)
|
request.Header.Set("Range", "bytes="+t.byteRange)
|
||||||
|
|
||||||
// execute the HTTP request.
|
// execute the HTTP request.
|
||||||
response, err = s.client.Do(request)
|
response, err = s.client.Do(request)
|
||||||
@ -1972,7 +1972,7 @@ func (s *TestSuiteCommon) TestGetPartialObjectLarge11MiB(c *check) {
|
|||||||
0, nil, s.accessKey, s.secretKey, s.signer)
|
0, nil, s.accessKey, s.secretKey, s.signer)
|
||||||
c.Assert(err, nil)
|
c.Assert(err, nil)
|
||||||
// This range spans into first two blocks.
|
// This range spans into first two blocks.
|
||||||
request.Header.Add("Range", "bytes=10485750-10485769")
|
request.Header.Set("Range", "bytes=10485750-10485769")
|
||||||
|
|
||||||
// execute the HTTP request.
|
// execute the HTTP request.
|
||||||
response, err = s.client.Do(request)
|
response, err = s.client.Do(request)
|
||||||
@ -2039,7 +2039,7 @@ func (s *TestSuiteCommon) TestGetPartialObjectLarge10MiB(c *check) {
|
|||||||
0, nil, s.accessKey, s.secretKey, s.signer)
|
0, nil, s.accessKey, s.secretKey, s.signer)
|
||||||
c.Assert(err, nil)
|
c.Assert(err, nil)
|
||||||
// Get partial content based on the byte range set.
|
// Get partial content based on the byte range set.
|
||||||
request.Header.Add("Range", "bytes=2048-2058")
|
request.Header.Set("Range", "bytes=2048-2058")
|
||||||
|
|
||||||
// execute the HTTP request to download the partial content.
|
// execute the HTTP request to download the partial content.
|
||||||
response, err = s.client.Do(request)
|
response, err = s.client.Do(request)
|
||||||
@ -2126,7 +2126,7 @@ func (s *TestSuiteCommon) TestGetObjectRangeErrors(c *check) {
|
|||||||
request, err = newTestSignedRequest(http.MethodGet, getGetObjectURL(s.endPoint, bucketName, objectName),
|
request, err = newTestSignedRequest(http.MethodGet, getGetObjectURL(s.endPoint, bucketName, objectName),
|
||||||
0, nil, s.accessKey, s.secretKey, s.signer)
|
0, nil, s.accessKey, s.secretKey, s.signer)
|
||||||
// Invalid byte range set.
|
// Invalid byte range set.
|
||||||
request.Header.Add("Range", "bytes=-0")
|
request.Header.Set("Range", "bytes=-0")
|
||||||
c.Assert(err, nil)
|
c.Assert(err, nil)
|
||||||
|
|
||||||
// execute the HTTP request.
|
// execute the HTTP request.
|
||||||
|
@ -163,9 +163,7 @@ func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header,
|
|||||||
val, ok = reqQueries[header]
|
val, ok = reqQueries[header]
|
||||||
}
|
}
|
||||||
if ok {
|
if ok {
|
||||||
for _, enc := range val {
|
extractedSignedHeaders[http.CanonicalHeaderKey(header)] = val
|
||||||
extractedSignedHeaders.Add(header, enc)
|
|
||||||
}
|
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
switch header {
|
switch header {
|
||||||
@ -192,9 +190,7 @@ func extractSignedHeaders(signedHeaders []string, r *http.Request) (http.Header,
|
|||||||
extractedSignedHeaders.Set(header, r.Host)
|
extractedSignedHeaders.Set(header, r.Host)
|
||||||
case "transfer-encoding":
|
case "transfer-encoding":
|
||||||
// Go http server removes "host" from Request.Header
|
// Go http server removes "host" from Request.Header
|
||||||
for _, enc := range r.TransferEncoding {
|
extractedSignedHeaders[http.CanonicalHeaderKey(header)] = r.TransferEncoding
|
||||||
extractedSignedHeaders.Add(header, enc)
|
|
||||||
}
|
|
||||||
case "content-length":
|
case "content-length":
|
||||||
// Signature-V4 spec excludes Content-Length from signed headers list for signature calculation.
|
// Signature-V4 spec excludes Content-Length from signed headers list for signature calculation.
|
||||||
// But some clients deviate from this rule. Hence we consider Content-Length for signature
|
// But some clients deviate from this rule. Hence we consider Content-Length for signature
|
||||||
|
@ -1127,7 +1127,7 @@ func newTestSignedRequestV2(method, urlStr string, contentLength int64, body io.
|
|||||||
}
|
}
|
||||||
|
|
||||||
for k, v := range headers {
|
for k, v := range headers {
|
||||||
req.Header.Add(k, v)
|
req.Header.Set(k, v)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = signRequestV2(req, accessKey, secretKey)
|
err = signRequestV2(req, accessKey, secretKey)
|
||||||
@ -1151,7 +1151,7 @@ func newTestSignedRequestV4(method, urlStr string, contentLength int64, body io.
|
|||||||
}
|
}
|
||||||
|
|
||||||
for k, v := range headers {
|
for k, v := range headers {
|
||||||
req.Header.Add(k, v)
|
req.Header.Set(k, v)
|
||||||
}
|
}
|
||||||
|
|
||||||
err = signRequestV4(req, accessKey, secretKey)
|
err = signRequestV4(req, accessKey, secretKey)
|
||||||
|
@ -1040,7 +1040,7 @@ func (web *webAPIHandlers) Upload(w http.ResponseWriter, r *http.Request) {
|
|||||||
// Check if bucket encryption is enabled
|
// Check if bucket encryption is enabled
|
||||||
_, err = globalBucketSSEConfigSys.Get(bucket)
|
_, err = globalBucketSSEConfigSys.Get(bucket)
|
||||||
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) {
|
if (globalAutoEncryption || err == nil) && !crypto.SSEC.IsRequested(r.Header) {
|
||||||
r.Header.Add(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
r.Header.Set(crypto.SSEHeader, crypto.SSEAlgorithmAES256)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Require Content-Length to be set in the request
|
// Require Content-Length to be set in the request
|
||||||
|
@ -234,14 +234,14 @@ func testPresignedPutInvalidHash(s3Client *s3.S3) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
rreq, err := http.NewRequest("PUT", url, bytes.NewReader([]byte("")))
|
rreq, err := http.NewRequest(http.MethodPut, url, bytes.NewReader([]byte("")))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
failureLog(function, args, startTime, "", "AWS SDK Go presigned PUT request failed", err).Fatal()
|
failureLog(function, args, startTime, "", "AWS SDK Go presigned PUT request failed", err).Fatal()
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
rreq.Header.Add("X-Amz-Content-Sha256", "invalid-sha256")
|
rreq.Header.Set("X-Amz-Content-Sha256", "invalid-sha256")
|
||||||
rreq.Header.Add("Content-Type", "application/octet-stream")
|
rreq.Header.Set("Content-Type", "application/octet-stream")
|
||||||
|
|
||||||
resp, err := http.DefaultClient.Do(rreq)
|
resp, err := http.DefaultClient.Do(rreq)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -418,3 +418,32 @@ func mailaddress(m fluent.Matcher) {
|
|||||||
Suggest("(&mail.Address{Name:$NAME, Address:$EMAIL}).String()")
|
Suggest("(&mail.Address{Name:$NAME, Address:$EMAIL}).String()")
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func errnetclosed(m fluent.Matcher) {
|
||||||
|
m.Match(
|
||||||
|
`strings.Contains($err.Error(), $text)`,
|
||||||
|
).
|
||||||
|
Where(m["text"].Text.Matches("\".*closed network connection.*\"")).
|
||||||
|
Report(`String matching against error texts is fragile; use net.ErrClosed instead`).
|
||||||
|
Suggest(`errors.Is($err, net.ErrClosed)`)
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
func httpheaderadd(m fluent.Matcher) {
|
||||||
|
m.Match(
|
||||||
|
`$H.Add($KEY, $VALUE)`,
|
||||||
|
).
|
||||||
|
Where(m["H"].Type.Is("http.Header")).
|
||||||
|
Report("use http.Header.Set method instead of Add to overwrite all existing header values").
|
||||||
|
Suggest(`$H.Set($KEY, $VALUE)`)
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
func hmacnew(m fluent.Matcher) {
|
||||||
|
m.Match("hmac.New(func() hash.Hash { return $x }, $_)",
|
||||||
|
`$f := func() hash.Hash { return $x }
|
||||||
|
$*_
|
||||||
|
hmac.New($f, $_)`,
|
||||||
|
).Where(m["x"].Pure).
|
||||||
|
Report("invalid hash passed to hmac.New()")
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user