Vault-3991 Code Scanning Alerts Changes

changelog/13667.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+core: Fixes code scanning alerts
+```

command/base_flags.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	"math"
 	"os"
 	"sort"
 	"strconv"
@@ -246,9 +247,11 @@ func (i *intValue) Set(s string) error {
 	if err != nil {
 		return err
 	}
-
-	*i.target = int(v)
-	return nil
+	if v >= math.MinInt && v <= math.MaxInt {
+		*i.target = int(v)
+		return nil
+	}
+	return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for int32", v)
 }
 
 func (i *intValue) Get() interface{} { return int(*i.target) }
@@ -374,9 +377,12 @@ func (i *uintValue) Set(s string) error {
 	if err != nil {
 		return err
 	}
+	if v > 0 && v <= math.MaxUint {
+		*i.target = uint(v)
+		return nil
+	}
 
-	*i.target = uint(v)
-	return nil
+	return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for uint32", v)
 }
 
 func (i *uintValue) Get() interface{} { return uint(*i.target) }

sdk/helper/certutil/helpers.go

@@ -36,9 +36,9 @@ import (
 const rsaMinimumSecureKeySize = 2048
 
 // Mapping of key types to default key lengths
-var defaultAlgorithmKeyBits = map[string]int {
+var defaultAlgorithmKeyBits = map[string]int{
 	"rsa": 2048,
-	"ec": 256,
+	"ec":  256,
 }
 
 // Mapping of NIST P-Curve's key length to expected signature bits.
@@ -370,6 +370,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) {
 func ParsePublicKeyPEM(data []byte) (interface{}, error) {
 	block, data := pem.Decode(data)
 	if block != nil {
+		if len(bytes.TrimSpace(data)) > 0 {
+			return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"}
+		}
 		var rawKey interface{}
 		var err error
 		if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
@@ -380,17 +383,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
 			}
 		}
 
-		if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok {
-			return rsaPublicKey, nil
-		}
-		if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok {
-			return ecPublicKey, nil
-		}
-		if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok {
-			return edPublicKey, nil
+		switch key := rawKey.(type) {
+		case *rsa.PublicKey:
+			return key, nil
+		case *ecdsa.PublicKey:
+			return key, nil
+		case ed25519.PublicKey:
+			return key, nil
 		}
 	}
-
 	return nil, errors.New("data does not contain any valid public keys")
 }
 

sdk/logical/translate_response.go

@@ -134,8 +134,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) {
 	}
 	// Marshaling a response will always be a JSON object, meaning it will
 	// always start with '{', so we hijack this to prepend necessary values
-	// Make a guess at the capacity, and write the object opener
-	buf := bytes.NewBuffer(make([]byte, 0, len(j)*2))
+
+	var buf bytes.Buffer
 	buf.WriteRune('{')
 	for k, v := range h.Response.Data {
 		// Marshal each key/value individually

vault/auth.go

@@ -817,7 +817,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
 	}
 
 	// Set up conf to pass in plugin_name
-	conf := make(map[string]string, len(entry.Options)+1)
+	conf := make(map[string]string)
 	for k, v := range entry.Options {
 		conf[k] = v
 	}

vault/barrier_aes_gcm.go

@@ -10,6 +10,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"strconv"
 	"strings"
 	"sync"
@@ -959,10 +960,13 @@ func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
 func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
 	// Allocate the output buffer with room for tern, version byte,
 	// nonce, GCM tag and the plaintext
-	capacity := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + len(plain)
-	if capacity < 0 {
+
+	extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
+	if len(plain) > math.MaxInt-extra {
 		return nil, ErrPlaintextTooLarge
 	}
+
+	capacity := len(plain) + extra
 	size := termSize + 1 + gcm.NonceSize()
 	out := make([]byte, size, capacity)
 

vault/identity_store_oidc.go

@@ -1700,7 +1700,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
 		return now, err
 	}
 
-	usedKeys := make([]string, 0, 2*len(namedKeys))
+	usedKeys := make([]string, 0)
 
 	for _, k := range namedKeys {
 		entry, err := s.Get(ctx, namedKeyConfigPath+k)

vault/mount.go

@@ -1374,7 +1374,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
 	}
 
 	// Set up conf to pass in plugin_name
-	conf := make(map[string]string, len(entry.Options)+1)
+	conf := make(map[string]string)
 	for k, v := range entry.Options {
 		conf[k] = v
 	}