diff --git a/changelog/unreleased/security-fixes.md b/changelog/unreleased/security-fixes.md new file mode 100644 index 0000000000..5667db8458 --- /dev/null +++ b/changelog/unreleased/security-fixes.md @@ -0,0 +1,5 @@ +Bugfix: security fixes + +We polished some of the sonarcloud issues. + +https://github.com/owncloud/ocis/pull/10376 diff --git a/ocis-pkg/service/grpc/client.go b/ocis-pkg/service/grpc/client.go index 06b8649d33..f35ef2616d 100644 --- a/ocis-pkg/service/grpc/client.go +++ b/ocis-pkg/service/grpc/client.go @@ -81,7 +81,9 @@ func NewClient(opts ...ClientOption) (client.Client, error) { } cOpts = append(cOpts, mgrpcc.AuthTLS(tlsConfig)) case "on": - tlsConfig = &tls.Config{} + tlsConfig = &tls.Config{ + MinVersion: tls.VersionTLS12, + } // Note: If caCert is empty we use the system's default set of trusted CAs if options.caCert != "" { certs := x509.NewCertPool() diff --git a/ocis/pkg/command/benchmark.go b/ocis/pkg/command/benchmark.go index 3439619c92..28c7ecde0d 100644 --- a/ocis/pkg/command/benchmark.go +++ b/ocis/pkg/command/benchmark.go @@ -207,7 +207,10 @@ func client(o clientOptions) error { for i := 0; i < o.jobs; i++ { go func(i int) { tr := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: o.insecure}, + TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, + InsecureSkipVerify: o.insecure, + }, } client := &http.Client{Transport: tr} diff --git a/services/collaboration/pkg/connector/contentconnector.go b/services/collaboration/pkg/connector/contentconnector.go index 273937561d..0332b09bfd 100644 --- a/services/collaboration/pkg/connector/contentconnector.go +++ b/services/collaboration/pkg/connector/contentconnector.go @@ -148,6 +148,7 @@ func (c *ContentConnector) GetFile(ctx context.Context, w http.ResponseWriter) e httpClient := http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, InsecureSkipVerify: c.cfg.CS3Api.DataGateway.Insecure, }, }, @@ -312,6 +313,7 @@ func (c *ContentConnector) PutFile(ctx context.Context, stream io.Reader, stream httpClient := http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, InsecureSkipVerify: c.cfg.CS3Api.DataGateway.Insecure, }, }, diff --git a/services/collaboration/pkg/helpers/discovery.go b/services/collaboration/pkg/helpers/discovery.go index 3f61aa2767..db7b51aee6 100644 --- a/services/collaboration/pkg/helpers/discovery.go +++ b/services/collaboration/pkg/helpers/discovery.go @@ -22,6 +22,7 @@ func GetAppURLs(cfg *config.Config, logger log.Logger) (map[string]map[string]st httpClient := http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, InsecureSkipVerify: cfg.App.Insecure, }, }, diff --git a/services/collaboration/pkg/proofkeys/handler.go b/services/collaboration/pkg/proofkeys/handler.go index 2ecbd6fe50..37d039bf19 100644 --- a/services/collaboration/pkg/proofkeys/handler.go +++ b/services/collaboration/pkg/proofkeys/handler.go @@ -198,6 +198,7 @@ func (vh *VerifyHandler) fetchPublicKeys(logger *zerolog.Logger) (*PubKeys, erro httpClient := http.Client{ Transport: &http.Transport{ TLSClientConfig: &tls.Config{ + MinVersion: tls.VersionTLS12, InsecureSkipVerify: vh.insecure, }, }, diff --git a/services/notifications/pkg/email/email.go b/services/notifications/pkg/email/email.go index 7a3ff2051e..e0d488e1fb 100644 --- a/services/notifications/pkg/email/email.go +++ b/services/notifications/pkg/email/email.go @@ -67,11 +67,12 @@ func RenderEmailTemplate(mt MessageTemplate, locale, defaultLocale string, email }, nil } +// emailTemplate builds the email template. It does not use any user provided input, so it is safe to use template.HTML. func emailTemplate(tpl *template.Template, mt MessageTemplate) (string, error) { str, err := executeTemplate(tpl, map[string]interface{}{ - "Greeting": template.HTML(strings.TrimSpace(mt.Greeting)), - "MessageBody": template.HTML(strings.TrimSpace(mt.MessageBody)), - "CallToAction": template.HTML(strings.TrimSpace(mt.CallToAction)), + "Greeting": template.HTML(strings.TrimSpace(mt.Greeting)), // #nosec G203 + "MessageBody": template.HTML(strings.TrimSpace(mt.MessageBody)), // #nosec G203 + "CallToAction": template.HTML(strings.TrimSpace(mt.CallToAction)), // #nosec G203 }) if err != nil { return "", err diff --git a/services/proxy/pkg/middleware/signed_url_auth.go b/services/proxy/pkg/middleware/signed_url_auth.go index 863f7e7999..431b8a36e5 100644 --- a/services/proxy/pkg/middleware/signed_url_auth.go +++ b/services/proxy/pkg/middleware/signed_url_auth.go @@ -21,7 +21,7 @@ import ( const ( _paramOCSignature = "OC-Signature" - _paramOCCredential = "OC-Credential" + _paramOCCredential = "OC-Credential" // #nosec G101 _paramOCDate = "OC-Date" _paramOCExpires = "OC-Expires" _paramOCVerb = "OC-Verb"