Merge pull request #10376 from owncloud/security-fixes

Security fixes

changelog/unreleased/security-fixes.md

@@ -0,0 +1,5 @@
+Bugfix: security fixes
+
+We polished some of the sonarcloud issues.
+
+https://github.com/owncloud/ocis/pull/10376

ocis-pkg/service/grpc/client.go

@@ -81,7 +81,9 @@ func NewClient(opts ...ClientOption) (client.Client, error) {
 		}
 		cOpts = append(cOpts, mgrpcc.AuthTLS(tlsConfig))
 	case "on":
-		tlsConfig = &tls.Config{}
+		tlsConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
 		// Note: If caCert is empty we use the system's default set of trusted CAs
 		if options.caCert != "" {
 			certs := x509.NewCertPool()

ocis/pkg/command/benchmark.go

@@ -207,7 +207,10 @@ func client(o clientOptions) error {
 	for i := 0; i < o.jobs; i++ {
 		go func(i int) {
 			tr := &http.Transport{
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: o.insecure},
+				TLSClientConfig: &tls.Config{
+					MinVersion:         tls.VersionTLS12,
+					InsecureSkipVerify: o.insecure,
+				},
 			}
 			client := &http.Client{Transport: tr}
 

services/collaboration/pkg/connector/contentconnector.go

@@ -148,6 +148,7 @@ func (c *ContentConnector) GetFile(ctx context.Context, w http.ResponseWriter) e
 	httpClient := http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: c.cfg.CS3Api.DataGateway.Insecure,
 			},
 		},
@@ -312,6 +313,7 @@ func (c *ContentConnector) PutFile(ctx context.Context, stream io.Reader, stream
 		httpClient := http.Client{
 			Transport: &http.Transport{
 				TLSClientConfig: &tls.Config{
+					MinVersion:         tls.VersionTLS12,
 					InsecureSkipVerify: c.cfg.CS3Api.DataGateway.Insecure,
 				},
 			},

services/collaboration/pkg/helpers/discovery.go

@@ -22,6 +22,7 @@ func GetAppURLs(cfg *config.Config, logger log.Logger) (map[string]map[string]st
 	httpClient := http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: cfg.App.Insecure,
 			},
 		},

services/collaboration/pkg/proofkeys/handler.go

@@ -198,6 +198,7 @@ func (vh *VerifyHandler) fetchPublicKeys(logger *zerolog.Logger) (*PubKeys, erro
 	httpClient := http.Client{
 		Transport: &http.Transport{
 			TLSClientConfig: &tls.Config{
+				MinVersion:         tls.VersionTLS12,
 				InsecureSkipVerify: vh.insecure,
 			},
 		},

services/notifications/pkg/email/email.go

@@ -67,11 +67,12 @@ func RenderEmailTemplate(mt MessageTemplate, locale, defaultLocale string, email
 	}, nil
 }
 
+// emailTemplate builds the email template. It does not use any user provided input, so it is safe to use template.HTML.
 func emailTemplate(tpl *template.Template, mt MessageTemplate) (string, error) {
 	str, err := executeTemplate(tpl, map[string]interface{}{
-		"Greeting":     template.HTML(strings.TrimSpace(mt.Greeting)),
-		"MessageBody":  template.HTML(strings.TrimSpace(mt.MessageBody)),
-		"CallToAction": template.HTML(strings.TrimSpace(mt.CallToAction)),
+		"Greeting":     template.HTML(strings.TrimSpace(mt.Greeting)),     // #nosec G203
+		"MessageBody":  template.HTML(strings.TrimSpace(mt.MessageBody)),  // #nosec G203
+		"CallToAction": template.HTML(strings.TrimSpace(mt.CallToAction)), // #nosec G203
 	})
 	if err != nil {
 		return "", err

services/proxy/pkg/middleware/signed_url_auth.go

@@ -21,7 +21,7 @@ import (
 
 const (
 	_paramOCSignature  = "OC-Signature"
-	_paramOCCredential = "OC-Credential"
+	_paramOCCredential = "OC-Credential" // #nosec G101
 	_paramOCDate       = "OC-Date"
 	_paramOCExpires    = "OC-Expires"
 	_paramOCVerb       = "OC-Verb"