From f2c64f3cfb204717dc36c1914d77b94bbbcc61a9 Mon Sep 17 00:00:00 2001 From: Taras Kushnir Date: Tue, 17 Jun 2025 15:04:41 +0300 Subject: [PATCH] Cosmetic security improvements to reduce spam from SonarCloud --- cmd/server/main.go | 7 ++++--- docker/Dockerfile | 4 ++-- pkg/common/fingerprint.go | 4 ++-- pkg/portal/utils.go | 4 ++-- pkg/session/manager.go | 11 +++++++---- 5 files changed, 17 insertions(+), 13 deletions(-) diff --git a/cmd/server/main.go b/cmd/server/main.go index 7b699373..9925e145 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -148,9 +148,10 @@ func run(ctx context.Context, cfg common.ConfigStore, stderr io.Writer, listener TimeSeries: timeSeriesDB, XSRF: &common.XSRFMiddleware{Key: "pckey", Timeout: 1 * time.Hour}, Sessions: &session.Manager{ - CookieName: "pcsid", - Store: sessionStore, - MaxLifetime: sessionStore.MaxLifetime(), + CookieName: "pcsid", + Store: sessionStore, + MaxLifetime: sessionStore.MaxLifetime(), + SecureCookie: (*certFileFlag != "") && (*keyFileFlag != ""), }, PlanService: planService, APIURL: apiURLConfig.URL(), diff --git a/docker/Dockerfile b/docker/Dockerfile index 2ad61881..2426be52 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -9,7 +9,7 @@ WORKDIR /app/web # Install dependencies and build the frontend COPY ./web/package.json /app/web/package.json -RUN --mount=type=cache,target=/cache/web npm install --verbose +RUN --mount=type=cache,target=/cache/web npm install --verbose --ignore-scripts # copy the rest COPY ./web /app/web @@ -25,7 +25,7 @@ WORKDIR /app/widget # Install dependencies and build the frontend COPY ./widget/package.json /app/widget/package.json -RUN --mount=type=cache,target=/cache/widget npm install --verbose +RUN --mount=type=cache,target=/cache/widget npm install --verbose --ignore-scripts # copy the rest COPY ./widget /app/widget diff --git a/pkg/common/fingerprint.go b/pkg/common/fingerprint.go index 699468ad..3a40f6d9 100644 --- a/pkg/common/fingerprint.go +++ b/pkg/common/fingerprint.go @@ -1,9 +1,9 @@ package common -import "math/rand" +import randv2 "math/rand/v2" type TFingerprint = uint64 func RandomFingerprint() TFingerprint { - return uint64(rand.Int63()) + return randv2.Uint64() } diff --git a/pkg/portal/utils.go b/pkg/portal/utils.go index 75479204..45170e24 100644 --- a/pkg/portal/utils.go +++ b/pkg/portal/utils.go @@ -3,7 +3,7 @@ package portal import ( "context" "log/slog" - "math/rand" + randv2 "math/rand/v2" "net/http" "strings" @@ -19,7 +19,7 @@ const ( // NOTE: this will eventually be replaced by proper OTP func twoFactorCode() int { - return rand.Intn(900000) + 100000 + return randv2.IntN(900000) + 100000 } // RouteGenerator's point is to passthrough the path correctly to the std.Handler() of slok/go-http-metrics diff --git a/pkg/session/manager.go b/pkg/session/manager.go index 3a2965af..a30b0a48 100644 --- a/pkg/session/manager.go +++ b/pkg/session/manager.go @@ -12,10 +12,11 @@ import ( ) type Manager struct { - CookieName string - Store common.SessionStore - MaxLifetime time.Duration - Path string + CookieName string + Store common.SessionStore + MaxLifetime time.Duration + Path string + SecureCookie bool } func (m *Manager) sessionID() string { @@ -37,6 +38,7 @@ func (m *Manager) SessionStart(w http.ResponseWriter, r *http.Request) (session Value: url.QueryEscape(sid), Path: m.Path, HttpOnly: true, + Secure: m.SecureCookie || (r.TLS != nil) || (r.Header.Get("X-Forwarded-Proto") == "https"), MaxAge: int(m.MaxLifetime.Seconds()), } http.SetCookie(w, &cookie) @@ -75,6 +77,7 @@ func (m *Manager) SessionDestroy(w http.ResponseWriter, r *http.Request) { Path: m.Path, HttpOnly: true, Expires: expiration, + Secure: m.SecureCookie || (r.TLS != nil) || (r.Header.Get("X-Forwarded-Proto") == "https"), MaxAge: -1, } http.SetCookie(w, &cookie)