[🐞] Found 3 gosec issues: CWE-78 and CWE-242

[koddr]

Your environment:

• Fiber Web Framework [e.g. 1.2.3]: 1.2.3
• OS [e.g. macOS 10.14.6]: macOS 10.14.6
• Golang [e.g. 1.13.7]: 1.13.7

Describe the bug

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

1. Install securego/gosec
2. Run $ gosec ./...
3. See security report:

Issue G204 (CWE-78): Subprocess launched with function call as argument or cmd arguments:

[/Users/koddr/CodeProjects/fiber/listen.go:101] - G204 (CWE-78): Subprocess launched with function call as argument or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
  > exec.Command(os.Args[0], "-prefork", "-child")

Issue G103 (CWE-242): Use of unsafe calls should be audited:

[/Users/koddr/CodeProjects/fiber/utils.go:82] - G103 (CWE-242): Use of unsafe calls should be audited (Confidence: HIGH, Severity: LOW)
  > unsafe.Pointer(&b)

[/Users/koddr/CodeProjects/fiber/utils.go:86] - G103 (CWE-242): Use of unsafe calls should be audited (Confidence: HIGH, Severity: LOW)
  > unsafe.Pointer(&s)

Expected behavior

No security issues on report.

Screenshots

No need.

Additional context

Full console output:

$ sw_vers

ProductName:    Mac OS X
ProductVersion: 10.14.6
BuildVersion:   18G2022

$ go version 

go version go1.13.7 darwin/amd64

$ gosec ./...

[gosec] 2020/02/02 12:32:41 Including rules: default
[gosec] 2020/02/02 12:32:41 Excluding rules: default
[gosec] 2020/02/02 12:32:41 Import directory: /Users/koddr/CodeProjects/fiber
[gosec] 2020/02/02 12:32:42 Checking package: fiber
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/application.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/context.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/listen.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/methods.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/request.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/response.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/router.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/static.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/status.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/types.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/utils.go
[gosec] 2020/02/02 12:32:42 Import directory: /Users/koddr/CodeProjects/fiber/middleware
[gosec] 2020/02/02 12:32:42 Checking package: middleware
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/middleware/cors.go
[gosec] 2020/02/02 12:32:42 Checking file: /Users/koddr/CodeProjects/fiber/middleware/helmet.go

Results:

[/Users/koddr/CodeProjects/fiber/listen.go:101] - G204 (CWE-78): Subprocess launched with function call as argument or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
  > exec.Command(os.Args[0], "-prefork", "-child")

[/Users/koddr/CodeProjects/fiber/utils.go:82] - G103 (CWE-242): Use of unsafe calls should be audited (Confidence: HIGH, Severity: LOW)
  > unsafe.Pointer(&b)

[/Users/koddr/CodeProjects/fiber/utils.go:86] - G103 (CWE-242): Use of unsafe calls should be audited (Confidence: HIGH, Severity: LOW)
  > unsafe.Pointer(&s)

Summary:
   Files: 13
   Lines: 1671
   Nosec: 0
  Issues: 3

[koddr]

OK, issue closed, but what's decision do you have? 😉

I mean, it's normal to have this issues now (Fiber is too young), but if we can use external tools (like gosec) for checking security (an not so) issues at code and save our users — let's do it! 😀

This is some info about G103 (CWE-242) issue:

1. https://securego.io/docs/rules/g103.html
2. https://go101.org/article/unsafe.html

I fixed two similar issues at #4, but I need help, because I'm not author of Fiber, unfortunately, and don't know why it's important to use unsafe.Pointer()...

[Fenny]

@koddr Thanks for your contribution!
I merged your pull request and addressed your gosec report in the source.

unsafe.Pointer() is used to convert a byte slice to a string without memory allocation.

[koddr]

@Fenny thx for awesome framework, btw 😃

unsafe.Pointer() is used to convert a byte slice to a string without memory allocation.

Potentially, how we can solve this? Or not any other ways to do this (so easy as unsafe)?
I will go deep to this issue 👌

[Fenny]

@koddr , Fiber is build on Fasthttp and it use the same method to convert bytes to strings and vice-versa. https://github.com/valyala/fasthttp/blob/master/bytesconv.go#L332

So changing this won't matter since it's still being used by the fasthttp engine. I think adding the // #nosec G103 and a description should be fine 👍