Fix gosec linter issues and upgrade go.step.sm/crypto to v0.76.2

Author: hslatman

command/api/token/create.go

@@ -120,7 +120,7 @@ func createAction(ctx *cli.Context) (err error) {
 	client := http.Client{
 		Transport: transport,
 	}
-	resp, err := client.Do(post)
+	resp, err := client.Do(post) // #nosec G704 -- request depends on configuration
 	if err != nil {
 		return err
 	}

command/ca/acme/eab/list.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"os"
 	"os/exec"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/urfave/cli"
@@ -99,8 +100,16 @@ func listAction(ctx *cli.Context) (err error) {
 
 	// prepare the $PAGER command to run when not disabled and when available
 	pager := os.Getenv("PAGER")
+	if strings.ContainsAny(pager, " \t\n;&|<>") {
+		return errors.New("invalid PAGER environment value")
+	}
+
+	if _, err := exec.LookPath(pager); err != nil {
+		return fmt.Errorf("invalid PAGER environment value: %w", err)
+	}
+
 	if usePager && pager != "" {
-		cmd = exec.Command(pager)
+		cmd = exec.Command(pager) // #nosec G702 -- $PAGER is intended to be provided by users; basic validation applied
 		var err error
 		out, err = cmd.StdinPipe()
 		if err != nil {

command/ca/provisioner/add.go

@@ -28,7 +28,7 @@ import (
 )
 
 func addCommand() cli.Command {
-	return cli.Command{
+	return cli.Command{ // #nosec G101 -- Google OIDC example values
 		Name:   "add",
 		Action: cli.ActionFunc(addAction),
 		Usage:  "add a provisioner",

command/certificate/verify.go

@@ -250,7 +250,6 @@ func verifyAction(ctx *cli.Context) error {
 
 	switch {
 	case (verifyCRL || verifyOCSP) && roots != "":
-		//nolint:gosec // using default configuration for 3rd party endpoints
 		tlsConfig := &tls.Config{
 			RootCAs: rootPool,
 		}
@@ -389,7 +388,7 @@ func VerifyOCSPEndpoint(endpoint string, cert, issuer *x509.Certificate, httpCli
 		return false, errors.Errorf("error contacting OCSP server: %s", endpoint)
 	}
 	httpReq.Header.Add("Content-Type", "application/ocsp-request")
-	httpResp, err := httpClient.Do(httpReq)
+	httpResp, err := httpClient.Do(httpReq) // #nosec G704 -- request relies on values from certificate or intentionally provided by user
 	if err != nil {
 		return false, errors.Errorf("error contacting OCSP server: %s", endpoint)
 	}

command/crypto/jwk/keyset.go

@@ -234,7 +234,7 @@ func rwLockKeySet(filename string) (jwks *jose.JSONWebKeySet, writeFunc func(boo
 		return
 	}
 
-	fd := int(f.Fd())
+	fd := int(f.Fd()) // #nosec G115 -- uintptr comes from file descriptor
 
 	// non-blocking exclusive lock
 	err = sysutils.FileLock(fd)

command/crypto/winpe/winpe.go

@@ -67,7 +67,7 @@ func extractPEAction(ctx *cli.Context) error {
 }
 
 func extractPE(filename string) error {
-	file, err := os.Open(filename)
+	file, err := os.Open(filename) // #nosec G703 -- file to open intentionally relies on user configuration
 	if err != nil {
 		return errors.Wrapf(err, "error opening %s", filename)
 	}

command/oauth/cmd.go

@@ -66,9 +66,9 @@ const (
 )
 
 type token struct {
-	AccessToken  string `json:"access_token"`
+	AccessToken  string `json:"access_token"` // #nosec G117 -- JSON property
 	IDToken      string `json:"id_token"`
-	RefreshToken string `json:"refresh_token"`
+	RefreshToken string `json:"refresh_token"` // #nosec G117 -- JSON property
 	ExpiresIn    int    `json:"expires_in"`
 	TokenType    string `json:"token_type"`
 	Err          string `json:"error,omitempty"`
@@ -571,13 +571,13 @@ type endpoint struct {
 }
 
 var knownProviders = map[string]endpoint{
-	"google": {
+	"google": { // #nosec G101 -- no credentials; just well-known configuration values
 		authorization:       "https://accounts.google.com/o/oauth2/v2/auth",
 		deviceAuthorization: "https://oauth2.googleapis.com/device/code",
 		token:               "https://www.googleapis.com/oauth2/v4/token",
 		userInfo:            "https://www.googleapis.com/oauth2/v3/userinfo",
 	},
-	"github": {
+	"github": { // #nosec G101 -- no credentials; just well-known configuration values
 		authorization:       "https://github.com/login/oauth/authorize",
 		deviceAuthorization: "https://github.com/login/device/code",
 		token:               "https://github.com/login/oauth/access_token",
@@ -712,7 +712,7 @@ func disco(provider string) (map[string]interface{}, error) {
 // application/json", without this header GitHub will use
 // application/x-www-form-urlencoded.
 func postForm(rawurl string, data url.Values) (*http.Response, error) {
-	req, err := http.NewRequest("POST", rawurl, strings.NewReader(data.Encode()))
+	req, err := http.NewRequest("POST", rawurl, strings.NewReader(data.Encode())) // #nosec G704 -- request intentionally relies on user data
 	if err != nil {
 		return nil, fmt.Errorf("create POST %s request failed: %w", rawurl, err)
 	}
@@ -722,7 +722,7 @@ func postForm(rawurl string, data url.Values) (*http.Response, error) {
 
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Accept", "application/json")
-	return http.DefaultClient.Do(req)
+	return http.DefaultClient.Do(req) // #nosec G704 -- request intentionally relies on user configuration
 }
 
 // NewServer creates http server
@@ -1106,7 +1106,7 @@ func (o *oauth) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 
 	code, state := q.Get("code"), q.Get("state")
 	if code == "" || state == "" {
-		fmt.Fprintf(os.Stderr, "Invalid request received: http://%s%s\n", req.RemoteAddr, req.URL.String())
+		fmt.Fprintf(os.Stderr, "Invalid request received: http://%s%s\n", req.RemoteAddr, req.URL.String()) // #nosec G705 -- terminal output
 		fmt.Fprintf(os.Stderr, "You may have an app or browser plugin that needs to be turned off\n")
 		http.Error(w, "400 bad request", http.StatusBadRequest)
 		return

exec/exec.go

@@ -79,7 +79,7 @@ func RunWithPid(pidFile, name string, arg ...string) {
 	cmd, exitCh, err := run(name, arg...)
 	if err != nil {
 		f.Close()
-		os.Remove(f.Name())
+		_ = os.Remove(f.Name()) // #nosec G703 -- file does not depend on user configuration
 		errorAndExit(name, err)
 	}
 
@@ -94,7 +94,7 @@ func RunWithPid(pidFile, name string, arg ...string) {
 	}
 
 	// clean, exit and wait until os.Exit
-	os.Remove(f.Name())
+	_ = os.Remove(f.Name()) // #nosec G703 -- file does not depend on user configuration
 	exitCh <- getExitStatus(cmd)
 	exitCh <- 0
 }

internal/cmd/root.go

@@ -163,7 +163,7 @@ func panicHandler() {
 
 		fmt.Fprintln(os.Stderr, "Something unexpected happened.")
 		fmt.Fprintln(os.Stderr, "If you want to help us debug the problem, please run:")
-		fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %s\n", strings.Join(os.Args, " "))
+		fmt.Fprintf(os.Stderr, "STEPDEBUG=1 %q\n", strings.Join(os.Args, " ")) // #nosec G705 -- terminal output
 		fmt.Fprintln(os.Stderr, "and send the output to info@smallstep.com")
 		os.Exit(2)
 	}

internal/plugin/plugin.go

@@ -38,7 +38,7 @@ func LookPath(name string) (string, error) {
 		}
 		for _, ext := range exts {
 			path := filepath.Join(step.BasePath(), "plugins", fileName+ext)
-			if _, err := os.Stat(path); err == nil {
+			if _, err := os.Stat(path); err == nil { // #nosec G703 -- path to stat intentionally relies on (partial) user configuration
 				return path, nil
 			}
 		}