From f527fb675a908318d9edf351fd9e46aae70dfe88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Anders=20F=20Bj=C3=B6rklund?= Date: Mon, 12 Apr 2021 20:36:49 +0200 Subject: [PATCH] Address security concerns with the go code As flagged by the github code scanning --- pkg/drivers/kic/kic.go | 6 +++++- .../bootstrapper/bsutil/kverify/api_server.go | 12 ++++++++++-- pkg/minikube/command/exec_runner.go | 2 +- pkg/minikube/command/kic_runner.go | 2 +- pkg/minikube/reason/known_issues.go | 2 +- 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/pkg/drivers/kic/kic.go b/pkg/drivers/kic/kic.go index 707a12e688..db9d3f3ad7 100644 --- a/pkg/drivers/kic/kic.go +++ b/pkg/drivers/kic/kic.go @@ -98,7 +98,11 @@ func (d *Driver) Create() error { params.Network = networkName ip := gateway.To4() // calculate the container IP based on guessing the machine index - ip[3] += byte(driver.IndexFromMachineName(d.NodeConfig.MachineName)) + index := driver.IndexFromMachineName(d.NodeConfig.MachineName) + if int(ip[3])+index > 255 { + return fmt.Errorf("too many machines to calculate an IP") + } + ip[3] += byte(index) klog.Infof("calculated static IP %q for the %q container", ip.String(), d.NodeConfig.MachineName) params.IP = ip.String() } diff --git a/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go b/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go index fe07aba87b..39c29a1640 100644 --- a/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go +++ b/pkg/minikube/bootstrapper/bsutil/kverify/api_server.go @@ -19,6 +19,7 @@ package kverify import ( "crypto/tls" + "crypto/x509" "fmt" "io/ioutil" "net" @@ -40,6 +41,7 @@ import ( "k8s.io/minikube/pkg/minikube/command" "k8s.io/minikube/pkg/minikube/config" "k8s.io/minikube/pkg/minikube/cruntime" + "k8s.io/minikube/pkg/minikube/localpath" "k8s.io/minikube/pkg/util/retry" ) @@ -219,10 +221,16 @@ func apiServerHealthz(hostname string, port int) (state.State, error) { func apiServerHealthzNow(hostname string, port int) (state.State, error) { url := fmt.Sprintf("https://%s/healthz", net.JoinHostPort(hostname, fmt.Sprint(port))) klog.Infof("Checking apiserver healthz at %s ...", url) - // To avoid: x509: certificate signed by unknown authority + cert, err := ioutil.ReadFile(localpath.CACert()) + if err != nil { + klog.Infof("ca certificate: %v", err) + return state.Stopped, err + } + pool := x509.NewCertPool() + pool.AppendCertsFromPEM(cert) tr := &http.Transport{ Proxy: nil, // Avoid using a proxy to speak to a local host - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + TLSClientConfig: &tls.Config{RootCAs: pool}, } client := &http.Client{Transport: tr} resp, err := client.Get(url) diff --git a/pkg/minikube/command/exec_runner.go b/pkg/minikube/command/exec_runner.go index 066eb64f9f..b803b9b949 100644 --- a/pkg/minikube/command/exec_runner.go +++ b/pkg/minikube/command/exec_runner.go @@ -155,7 +155,7 @@ func (e *execRunner) Copy(f assets.CopyableFile) error { } perms, err := strconv.ParseInt(f.GetPermissions(), 8, 0) - if err != nil { + if err != nil || perms > 07777 { return errors.Wrapf(err, "error converting permissions %s to integer", f.GetPermissions()) } diff --git a/pkg/minikube/command/kic_runner.go b/pkg/minikube/command/kic_runner.go index 3f679d762f..c5c7365f85 100644 --- a/pkg/minikube/command/kic_runner.go +++ b/pkg/minikube/command/kic_runner.go @@ -162,7 +162,7 @@ func (k *kicRunner) Copy(f assets.CopyableFile) error { } perms, err := strconv.ParseInt(f.GetPermissions(), 8, 0) - if err != nil { + if err != nil || perms > 07777 { return errors.Wrapf(err, "error converting permissions %s to integer", f.GetPermissions()) } diff --git a/pkg/minikube/reason/known_issues.go b/pkg/minikube/reason/known_issues.go index 8e4c7e1593..e03863d17d 100644 --- a/pkg/minikube/reason/known_issues.go +++ b/pkg/minikube/reason/known_issues.go @@ -769,7 +769,7 @@ var internetIssues = []match{ URL: proxyDoc, Issues: []int{3860}, }, - Regexp: re(`gcr.io.*443: connect: invalid argument`), + Regexp: re(`gcr.io\.*443: connect: invalid argument`), }, { Kind: Kind{