address gosec issues

application-research · Mar 8, 2023 · 07905c9 · 07905c9
1 parent 18a0f26
commit 07905c9
Show file tree

Hide file tree

Showing 7 changed files with 55 additions and 15 deletions.
diff --git a/api/api_engine.go b/api/api_engine.go
@@ -14,6 +14,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	echoSwagger "github.com/swaggo/echo-swagger"
 	"go.opentelemetry.io/otel/trace"
+	"go.uber.org/zap"
 )
 
 type IRegister interface {
@@ -25,9 +26,9 @@ type apiEngine struct {
 	cfg *config.Estuary
 }
 
-func NewEngine(cfg *config.Estuary, tcr trace.Tracer) *apiEngine {
+func NewEngine(cfg *config.Estuary, tcr trace.Tracer, log *zap.SugaredLogger) *apiEngine {
 	e := echo.New()
-	e.Binder = new(util.Binder)
+	e.Binder = util.NewBinder(log)
 	e.Pre(middleware.RemoveTrailingSlash())
 
 	if cfg.Logging.ApiEndpointLogging {

diff --git a/api/v1/handlers.go b/api/v1/handlers.go
@@ -415,7 +415,12 @@ func (s *apiV1) handleAddCar(c echo.Context, u *util.User) error {
 		}()
 	}()
 
-	defer c.Request().Body.Close()
+	defer func() {
+		if err := c.Request().Body.Close(); err != nil {
+			s.log.Warnf("failed to close request body: %s", err)
+		}
+	}()
+
 	header, err := s.loadCar(ctx, sbs, c.Request().Body)
 	if err != nil {
 		return err

diff --git a/cmd/benchest/main.go b/cmd/benchest/main.go
@@ -13,13 +13,17 @@ import (
 	"strings"
 	"time"
 
+	logging "github.com/ipfs/go-log/v2"
+
 	"github.com/application-research/estuary/util"
 	pgd "github.com/jinzhu/gorm/dialects/postgres"
 	"github.com/urfave/cli/v2"
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
 )
 
+var logger = logging.Logger("shuttle")
+
 func main() {
 	app := getApp()
 
@@ -420,7 +424,11 @@ func benchFetch(c string) (*fetchStats, error) {
 
 	status := resp.StatusCode
 
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			logger.Warnf("failed to close request body: %s", err)
+		}
+	}()
 
 	br := bufio.NewReader(resp.Body)
 
@@ -473,7 +481,11 @@ func ipfsCheck(c string, maddr string) *checkResp {
 		}
 	}
 
-	defer resp.Body.Close()
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			logger.Warnf("failed to close request body: %s", err)
+		}
+	}()
 
 	var out checkResp
 	out.CheckTook = time.Since(start)

diff --git a/cmd/estuary-shuttle/main.go b/cmd/estuary-shuttle/main.go
@@ -1110,7 +1110,7 @@ func withUser(f func(echo.Context, *User) error) func(echo.Context) error {
 
 func (s *Shuttle) ServeAPI() error {
 	e := echo.New()
-	e.Binder = new(util.Binder)
+	e.Binder = util.NewBinder(log)
 	e.Pre(middleware.RemoveTrailingSlash())
 
 	if s.shuttleConfig.Logging.ApiEndpointLogging {
@@ -1436,12 +1436,17 @@ func (s *Shuttle) handleAddCarToShuttle(c echo.Context, u *User) error {
 	defer func() {
 		go func() {
 			if err := s.StagingMgr.CleanUp(bsid); err != nil {
-				log.Errorf("failed to clean up staging blockstore: %s", err)
+				log.Warnf("failed to clean up staging blockstore: %s", err)
 			}
 		}()
 	}()
 
-	defer c.Request().Body.Close()
+	defer func() {
+		if err := c.Request().Body.Close(); err != nil {
+			log.Warnf("failed to close request body: %s", err)
+		}
+	}()
+
 	header, err := s.loadCar(ctx, bs, c.Request().Body)
 	if err != nil {
 		return err

diff --git a/main.go b/main.go
@@ -648,7 +648,7 @@ func Run(ctx context.Context, cfg *config.Estuary) error {
 	apiV1 := apiv1.NewAPIV1(cfg, db, nd, fc, gatewayApi, sbmgr, contMgr, cacher, extendedCacher, minerMgr, pinmgr, log, apiTracer, shuttleMgr, transferMgr, dealMgr, stgZoneMgr)
 	apiV2 := apiv2.NewAPIV2(cfg, db, nd, fc, gatewayApi, sbmgr, contMgr, cacher, minerMgr, extendedCacher, pinmgr, log, apiTracer)
 
-	apiEngine := api.NewEngine(cfg, apiTracer)
+	apiEngine := api.NewEngine(cfg, apiTracer, log)
 	apiEngine.RegisterAPI(apiV1)
 	apiEngine.RegisterAPI(apiV2)
 

diff --git a/shuttle/shuttle.go b/shuttle/shuttle.go
@@ -188,7 +188,7 @@ func (m *manager) GetShuttlesConfig(u *util.User) (interface{}, error) {
 			continue
 		}
 
-		out, err := getShuttleConfig(sh.Hostname, u.AuthToken.Token)
+		out, err := m.getShuttleConfig(sh.Hostname, u.AuthToken.Token)
 		if err != nil {
 			return nil, err
 		}
@@ -197,7 +197,7 @@ func (m *manager) GetShuttlesConfig(u *util.User) (interface{}, error) {
 	return shts, nil
 }
 
-func getShuttleConfig(hostname string, authToken string) (interface{}, error) {
+func (m *manager) getShuttleConfig(hostname string, authToken string) (interface{}, error) {
 	u, err := url.Parse(hostname)
 	if err != nil {
 		return nil, errors.Errorf("failed to parse url for shuttle(%s) config: %s", hostname, err)
@@ -214,7 +214,12 @@ func getShuttleConfig(hostname string, authToken string) (interface{}, error) {
 	if err != nil {
 		return nil, errors.Errorf("failed to request shuttle(%s) config: %s", hostname, err)
 	}
-	defer resp.Body.Close()
+
+	defer func() {
+		if err := resp.Body.Close(); err != nil {
+			m.log.Warnf("failed to close request body: %s", err)
+		}
+	}()
 
 	if resp.StatusCode != 200 {
 		bodyBytes, err := ioutil.ReadAll(resp.Body)

diff --git a/util/misc.go b/util/misc.go
@@ -18,6 +18,7 @@ import (
 	"github.com/multiformats/go-multiaddr"
 	"github.com/multiformats/go-multihash"
 	"go.opentelemetry.io/otel/trace"
+	"go.uber.org/zap"
 )
 
 func CanRestartTransfer(st *filclient.ChannelState) bool {
@@ -96,10 +97,21 @@ func WithContentLengthCheck(f func(echo.Context) error) func(echo.Context) error
 	}
 }
 
-type Binder struct{}
+type binder struct {
+	log *zap.SugaredLogger
+}
+
+func NewBinder(log *zap.SugaredLogger) binder {
+	return binder{log: log}
+}
+
+func (b binder) Bind(i interface{}, c echo.Context) error {
+	defer func() {
+		if err := c.Request().Body.Close(); err != nil {
+			b.log.Warnf("failed to close request body: %s", err)
+		}
+	}()
 
-func (b Binder) Bind(i interface{}, c echo.Context) error {
-	defer c.Request().Body.Close()
 	if err := json.NewDecoder(c.Request().Body).Decode(i); err != nil {
 		return &HttpError{
 			Code:    http.StatusBadRequest,