Cosmetic security improvements to reduce spam from SonarCloud

2026-02-09 07:19:08 -06:00 · 2025-06-17 15:04:41 +03:00
parent 86a6b9e349
commit f2c64f3cfb
5 changed files with 17 additions and 13 deletions
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -148,9 +148,10 @@ func run(ctx context.Context, cfg common.ConfigStore, stderr io.Writer, listener
 		TimeSeries: timeSeriesDB,
 		XSRF:       &common.XSRFMiddleware{Key: "pckey", Timeout: 1 * time.Hour},
 		Sessions: &session.Manager{
-			CookieName:  "pcsid",
-			Store:       sessionStore,
-			MaxLifetime: sessionStore.MaxLifetime(),
+			CookieName:   "pcsid",
+			Store:        sessionStore,
+			MaxLifetime:  sessionStore.MaxLifetime(),
+			SecureCookie: (*certFileFlag != "") && (*keyFileFlag != ""),
 		},
 		PlanService:  planService,
 		APIURL:       apiURLConfig.URL(),
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -9,7 +9,7 @@ WORKDIR /app/web

 # Install dependencies and build the frontend
 COPY ./web/package.json /app/web/package.json
-RUN --mount=type=cache,target=/cache/web npm install --verbose 
+RUN --mount=type=cache,target=/cache/web npm install --verbose --ignore-scripts

 # copy the rest
 COPY ./web /app/web
@@ -25,7 +25,7 @@ WORKDIR /app/widget

 # Install dependencies and build the frontend
 COPY ./widget/package.json /app/widget/package.json
-RUN --mount=type=cache,target=/cache/widget npm install --verbose 
+RUN --mount=type=cache,target=/cache/widget npm install --verbose --ignore-scripts

 # copy the rest
 COPY ./widget /app/widget
--- a/pkg/common/fingerprint.go
+++ b/pkg/common/fingerprint.go
@@ -1,9 +1,9 @@
 package common

-import "math/rand"
+import randv2 "math/rand/v2"

 type TFingerprint = uint64

 func RandomFingerprint() TFingerprint {
-	return uint64(rand.Int63())
+	return randv2.Uint64()
 }
--- a/pkg/portal/utils.go
+++ b/pkg/portal/utils.go
@@ -3,7 +3,7 @@ package portal
 import (
 	"context"
 	"log/slog"
-	"math/rand"
+	randv2 "math/rand/v2"
 	"net/http"
 	"strings"

@@ -19,7 +19,7 @@ const (

 // NOTE: this will eventually be replaced by proper OTP
 func twoFactorCode() int {
-	return rand.Intn(900000) + 100000
+	return randv2.IntN(900000) + 100000
 }

 // RouteGenerator's point is to passthrough the path correctly to the std.Handler() of slok/go-http-metrics
--- a/pkg/session/manager.go
+++ b/pkg/session/manager.go
@@ -12,10 +12,11 @@ import (
 )

 type Manager struct {
-	CookieName  string
-	Store       common.SessionStore
-	MaxLifetime time.Duration
-	Path        string
+	CookieName   string
+	Store        common.SessionStore
+	MaxLifetime  time.Duration
+	Path         string
+	SecureCookie bool
 }

 func (m *Manager) sessionID() string {
@@ -37,6 +38,7 @@ func (m *Manager) SessionStart(w http.ResponseWriter, r *http.Request) (session
 			Value:    url.QueryEscape(sid),
 			Path:     m.Path,
 			HttpOnly: true,
+			Secure:   m.SecureCookie || (r.TLS != nil) || (r.Header.Get("X-Forwarded-Proto") == "https"),
 			MaxAge:   int(m.MaxLifetime.Seconds()),
 		}
 		http.SetCookie(w, &cookie)
@@ -75,6 +77,7 @@ func (m *Manager) SessionDestroy(w http.ResponseWriter, r *http.Request) {
 			Path:     m.Path,
 			HttpOnly: true,
 			Expires:  expiration,
+			Secure:   m.SecureCookie || (r.TLS != nil) || (r.Header.Get("X-Forwarded-Proto") == "https"),
 			MaxAge:   -1,
 		}
 		http.SetCookie(w, &cookie)