Add nancy vulnerability scanner (#10289)

master
Harshavardhana 4 years ago committed by GitHub
parent 3acb5cff45
commit c8b84a0e9e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 6
      .github/workflows/go.yml
  2. 5
      .nancy-ignore
  3. 2
      cmd/gateway/azure/gateway-azure.go
  4. 4
      cmd/listen-notification-handlers.go
  5. 5
      pkg/bucket/replication/replication.go
  6. 46
      pkg/event/target/nats_test.go
  7. 77
      pkg/event/target/nats_tls_test.go

@ -4,7 +4,6 @@ on:
pull_request:
branches:
- master
- release
jobs:
build:
@ -12,7 +11,7 @@ jobs:
runs-on: ${{ matrix.os }}
strategy:
matrix:
go-version: [1.14.x]
go-version: [1.14.x, 1.15.x]
os: [ubuntu-latest, windows-latest]
steps:
- uses: actions/checkout@v2
@ -39,6 +38,9 @@ jobs:
MINIO_CI_CD: 1
run: |
sudo apt-get install devscripts shellcheck
nancy_version=$(curl --retry 10 -Ls -o /dev/null -w "%{url_effective}" https://github.com/sonatype-nexus-community/nancy/releases/latest | sed "s/https:\/\/github.com\/sonatype-nexus-community\/nancy\/releases\/tag\///")
curl -L -o nancy https://github.com/sonatype-nexus-community/nancy/releases/download/${nancy_version}/nancy-linux.amd64-${nancy_version} && chmod +x nancy
go list -m all | ./nancy
make
diff -au <(gofmt -s -d cmd) <(printf "")
diff -au <(gofmt -s -d pkg) <(printf "")

@ -0,0 +1,5 @@
CVE-2020-13223
CVE-2020-7220
CVE-2020-10661
CVE-2020-10660
CWE-190

@ -530,7 +530,7 @@ func checkAzureUploadID(ctx context.Context, uploadID string) (err error) {
func parseAzurePart(metaPartFileName, prefix string) (partID int, err error) {
partStr := strings.TrimPrefix(metaPartFileName, prefix+minio.SlashSeparator)
if partID, err = strconv.Atoi(partStr); err != nil || partID <= 0 {
err = fmt.Errorf("invalid part number in block id '%s'", string(partID))
err = fmt.Errorf("invalid part number in block id '%d'", partID)
return
}
return

@ -153,8 +153,8 @@ func (api objectAPIHandlers) ListenNotificationHandler(w http.ResponseWriter, r
for {
select {
case evI := <-listenCh:
ev := evI.(event.Event)
if len(string(ev.EventName)) > 0 {
ev, ok := evI.(event.Event)
if ok {
if err := enc.Encode(struct{ Records []event.Event }{[]event.Event{ev}}); err != nil {
return
}

@ -20,6 +20,7 @@ import (
"encoding/xml"
"io"
"sort"
"strconv"
"strings"
)
@ -100,10 +101,10 @@ func (c Config) Validate(bucket string, sameTarget bool) error {
if err := r.Validate(bucket, sameTarget); err != nil {
return err
}
if _, ok := priorityMap[string(r.Priority)]; ok {
if _, ok := priorityMap[strconv.Itoa(r.Priority)]; ok {
return errReplicationUniquePriority
}
priorityMap[string(r.Priority)] = struct{}{}
priorityMap[strconv.Itoa(r.Priority)] = struct{}{}
}
return nil
}

@ -17,8 +17,6 @@
package target
import (
"path"
"path/filepath"
"testing"
xnet "github.com/minio/minio/pkg/net"
@ -92,47 +90,3 @@ func TestNatsConnToken(t *testing.T) {
}
defer con.Close()
}
func TestNatsConnTLSCustomCA(t *testing.T) {
s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls.conf"))
defer s.Shutdown()
clientConfig := &NATSArgs{
Enable: true,
Address: xnet.Host{Name: "localhost",
Port: (xnet.Port(opts.Port)),
IsPortSet: true},
Subject: "test",
Secure: true,
CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"),
}
con, err := clientConfig.connectNats()
if err != nil {
t.Errorf("Could not connect to nats: %v", err)
}
defer con.Close()
}
func TestNatsConnTLSClientAuthorization(t *testing.T) {
s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls_client_cert.conf"))
defer s.Shutdown()
clientConfig := &NATSArgs{
Enable: true,
Address: xnet.Host{Name: "localhost",
Port: (xnet.Port(opts.Port)),
IsPortSet: true},
Subject: "test",
Secure: true,
CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"),
ClientCert: path.Join("testdata", "certs", "nats_client_cert.pem"),
ClientKey: path.Join("testdata", "certs", "nats_client_key.pem"),
}
con, err := clientConfig.connectNats()
if err != nil {
t.Errorf("Could not connect to nats: %v", err)
}
defer con.Close()
}

@ -0,0 +1,77 @@
/*
* MinIO Cloud Storage, (C) 2020 MinIO, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package target
import (
"path"
"path/filepath"
"runtime"
"testing"
xnet "github.com/minio/minio/pkg/net"
natsserver "github.com/nats-io/nats-server/v2/test"
)
func TestNatsConnTLSCustomCA(t *testing.T) {
s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls.conf"))
defer s.Shutdown()
clientConfig := &NATSArgs{
Enable: true,
Address: xnet.Host{Name: "localhost",
Port: (xnet.Port(opts.Port)),
IsPortSet: true},
Subject: "test",
Secure: true,
CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"),
}
con, err := clientConfig.connectNats()
if err != nil {
if runtime.Version() == "go1.15" {
t.Skip()
}
t.Errorf("Could not connect to nats: %v", err)
}
defer con.Close()
}
func TestNatsConnTLSClientAuthorization(t *testing.T) {
s, opts := natsserver.RunServerWithConfig(filepath.Join("testdata", "nats_tls_client_cert.conf"))
defer s.Shutdown()
clientConfig := &NATSArgs{
Enable: true,
Address: xnet.Host{Name: "localhost",
Port: (xnet.Port(opts.Port)),
IsPortSet: true},
Subject: "test",
Secure: true,
CertAuthority: path.Join("testdata", "certs", "root_ca_cert.pem"),
ClientCert: path.Join("testdata", "certs", "nats_client_cert.pem"),
ClientKey: path.Join("testdata", "certs", "nats_client_key.pem"),
}
con, err := clientConfig.connectNats()
if err != nil {
if runtime.Version() == "go1.15" {
t.Skip()
}
t.Errorf("Could not connect to nats: %v", err)
}
defer con.Close()
}
Loading…
Cancel
Save