Merge pull request #1494 from cyberark/gosec-fixes

gl-johnson · web-flow · commit e4e080b1acf4 · 2023-04-19T16:57:57.000-04:00
Fix gosec warnings
diff --git a/bin/juxtaposer/tester/db/db.go b/bin/juxtaposer/tester/db/db.go
@@ -77,6 +77,7 @@ func (manager *DriverManager) ensureWantedDbDataState() error {
 		insertItemStatement := QueryTypes["insertItem"] +
 			fmt.Sprintf("(%s)", manager.Tester.GetQueryMarkers(5))
 
+		/* #nosec */
 		err = manager.Tester.Query(insertItemStatement,
 			fmt.Sprintf("%s%d", NameFieldPrefix, itemIndex),
 			itemIndex,
diff --git a/internal/plugin/connectors/http/generic/oauth/v1/protocol.go b/internal/plugin/connectors/http/generic/oauth/v1/protocol.go
@@ -3,11 +3,12 @@ package oauth1protocol
 import (
 	"bytes"
 	"crypto/hmac"
+	"crypto/rand"
 	"crypto/sha1"
 	"encoding/base64"
 	"fmt"
 	"io/ioutil"
-	"math/rand"
+	"math/big"
 	gohttp "net/http"
 	"net/url"
 	"sort"
@@ -71,14 +72,15 @@ var requiredConfigParams = []string{
 }
 
 func generateNonce(length int, charset string) string {
-	seededRand := rand.New(
-		rand.NewSource(time.Now().UnixNano()))
-
-	randomChars := make([]byte, length)
-	for index := range randomChars {
-		randomChars[index] = charset[seededRand.Intn(len(charset))]
+	randomBytes := make([]byte, length)
+	for i := 0; i < length; i++ {
+		n, err := rand.Int(rand.Reader, big.NewInt(int64(len(charset))))
+		if err != nil {
+			panic(err)
+		}
+		randomBytes[i] = charset[n.Int64()]
 	}
-	return string(randomChars)
+	return string(randomBytes)
 }
 
 // checkRequiredOAuthParams returns an error if a key from
diff --git a/internal/plugin/connectors/http/proxy_service.go b/internal/plugin/connectors/http/proxy_service.go
@@ -97,7 +97,8 @@ func NewProxyService(
 
 	transport := &gohttp.Transport{
 		TLSClientConfig: &tls.Config{
-			RootCAs: caCertPool,
+			RootCAs:    caCertPool,
+			MinVersion: tls.VersionTLS12,
 		},
 	}
 
diff --git a/test/connector/http/generic/http_test_server.go b/test/connector/http/generic/http_test_server.go
@@ -85,7 +85,10 @@ func httpsServer(
 		return nil, err
 	}
 
-	config := &tls.Config{Certificates: []tls.Certificate{cert}}
+	config := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		MinVersion:   tls.VersionTLS12,
+	}
 	s.TLS = config
 
 	s.StartTLS()
diff --git a/third_party/go-mssqldb b/third_party/go-mssqldb
@@ -1 +1 @@
-Subproject commit 54a5c1da31c85cfbb1b3bb2f6f5163c21c86be7b
+Subproject commit 77801ab862fa5428431672d8c0ad264823670a2d

Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,8 @@ func NewProxyService(`
`97`	`97`
`98`	`98`	`transport := &gohttp.Transport{`
`99`	`99`	`TLSClientConfig: &tls.Config{`
`100`		`- RootCAs: caCertPool,`
	`100`	`+ RootCAs: caCertPool,`
	`101`	`+ MinVersion: tls.VersionTLS12,`
`101`	`102`	`},`
`102`	`103`	`}`
`103`	`104`