Merge pull request #11082 from afbjorklund/codescan

Address security concerns with the go code
2021-04-13 15:01:15 -07:00 · 2021-04-13 15:01:15 -07:00 · 3f8304549c
parent 3bc2171f1e f527fb675a
commit 3f8304549c
5 changed files with 18 additions and 6 deletions
--- a/pkg/drivers/kic/kic.go
+++ b/pkg/drivers/kic/kic.go
@ -98,7 +98,11 @@ func (d *Driver) Create() error {
 		params.Network = networkName
 		ip := gateway.To4()
 		// calculate the container IP based on guessing the machine index
-		ip[3] += byte(driver.IndexFromMachineName(d.NodeConfig.MachineName))
+		index := driver.IndexFromMachineName(d.NodeConfig.MachineName)
+		if int(ip[3])+index > 255 {
+			return fmt.Errorf("too many machines to calculate an IP")
+		}
+		ip[3] += byte(index)
 		klog.Infof("calculated static IP %q for the %q container", ip.String(), d.NodeConfig.MachineName)
 		params.IP = ip.String()
 	}
--- a/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go
+++ b/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go
@ -19,6 +19,7 @@ package kverify

 import (
 	"crypto/tls"
+	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"net"
@ -40,6 +41,7 @@ import (
 	"k8s.io/minikube/pkg/minikube/command"
 	"k8s.io/minikube/pkg/minikube/config"
 	"k8s.io/minikube/pkg/minikube/cruntime"
+	"k8s.io/minikube/pkg/minikube/localpath"
 	"k8s.io/minikube/pkg/util/retry"
 )

@ -219,10 +221,16 @@ func apiServerHealthz(hostname string, port int) (state.State, error) {
 func apiServerHealthzNow(hostname string, port int) (state.State, error) {
 	url := fmt.Sprintf("https://%s/healthz", net.JoinHostPort(hostname, fmt.Sprint(port)))
 	klog.Infof("Checking apiserver healthz at %s ...", url)
-	// To avoid: x509: certificate signed by unknown authority
+	cert, err := ioutil.ReadFile(localpath.CACert())
+	if err != nil {
+		klog.Infof("ca certificate: %v", err)
+		return state.Stopped, err
+	}
+	pool := x509.NewCertPool()
+	pool.AppendCertsFromPEM(cert)
 	tr := &http.Transport{
 		Proxy:           nil, // Avoid using a proxy to speak to a local host
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+		TLSClientConfig: &tls.Config{RootCAs: pool},
 	}
 	client := &http.Client{Transport: tr}
 	resp, err := client.Get(url)
--- a/pkg/minikube/command/exec_runner.go
+++ b/pkg/minikube/command/exec_runner.go
@ -155,7 +155,7 @@ func (e *execRunner) Copy(f assets.CopyableFile) error {
 	}

 	perms, err := strconv.ParseInt(f.GetPermissions(), 8, 0)
-	if err != nil {
+	if err != nil || perms > 07777 {
 		return errors.Wrapf(err, "error converting permissions %s to integer", f.GetPermissions())
 	}

--- a/pkg/minikube/command/kic_runner.go
+++ b/pkg/minikube/command/kic_runner.go
@ -162,7 +162,7 @@ func (k *kicRunner) Copy(f assets.CopyableFile) error {
 	}

 	perms, err := strconv.ParseInt(f.GetPermissions(), 8, 0)
-	if err != nil {
+	if err != nil || perms > 07777 {
 		return errors.Wrapf(err, "error converting permissions %s to integer", f.GetPermissions())
 	}

--- a/pkg/minikube/reason/known_issues.go
+++ b/pkg/minikube/reason/known_issues.go
@ -769,7 +769,7 @@ var internetIssues = []match{
 			URL:      proxyDoc,
 			Issues:   []int{3860},
 		},
-		Regexp: re(`gcr.io.*443: connect: invalid argument`),
+		Regexp: re(`gcr.io\.*443: connect: invalid argument`),
 	},
 	{
 		Kind: Kind{