Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault-3991 Code Scanning Alerts Changes #13667

Merged
merged 4 commits into from Jan 14, 2022
Merged

Vault-3991 Code Scanning Alerts Changes #13667

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e6ac965
code scanning alerts changes
akshya96 Jan 14, 2022
1917239
Merge branch 'main' into vault3991CodeScanningAlerts
akshya96 Jan 14, 2022
2e4ccdf
Merge branch 'main' into vault3991CodeScanningAlerts
akshya96 Jan 14, 2022
725aeb8
adding changelog
akshya96 Jan 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
16 changes: 11 additions & 5 deletions command/base_flags.go
View file
Open in desktop
Expand Up @@ -4,6 +4,7 @@ import (
"errors"
"flag"
"fmt"
"math"
"os"
"sort"
"strconv"
Expand Down Expand Up @@ -246,9 +247,11 @@ func (i *intValue) Set(s string) error {
if err != nil {
return err
}

*i.target = int(v)
return nil
if v >= math.MinInt && v <= math.MaxInt {
*i.target = int(v)
return nil
}
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for int32", v)
}

func (i *intValue) Get() interface{} { return int(*i.target) }
Expand Down Expand Up @@ -374,9 +377,12 @@ func (i *uintValue) Set(s string) error {
if err != nil {
return err
}
if v > 0 && v <= math.MaxUint {
*i.target = uint(v)
return nil
}

*i.target = uint(v)
return nil
return fmt.Errorf("Incorrect conversion of a 64-bit integer to a lower bit size. Value %d is not within bounds for uint32", v)
}

func (i *uintValue) Get() interface{} { return uint(*i.target) }
Expand Down
23 changes: 12 additions & 11 deletions sdk/helper/certutil/helpers.go
View file
Open in desktop
Expand Up @@ -36,9 +36,9 @@ import (
const rsaMinimumSecureKeySize = 2048

// Mapping of key types to default key lengths
var defaultAlgorithmKeyBits = map[string]int {
var defaultAlgorithmKeyBits = map[string]int{
"rsa": 2048,
"ec": 256,
"ec": 256,
}

// Mapping of NIST P-Curve's key length to expected signature bits.
Expand Down Expand Up @@ -370,6 +370,9 @@ func ComparePublicKeys(key1Iface, key2Iface crypto.PublicKey) (bool, error) {
func ParsePublicKeyPEM(data []byte) (interface{}, error) {
block, data := pem.Decode(data)
if block != nil {
if len(bytes.TrimSpace(data)) > 0 {
return nil, errutil.UserError{Err: "unexpected trailing data after parsed PEM block"}
}
var rawKey interface{}
var err error
if rawKey, err = x509.ParsePKIXPublicKey(block.Bytes); err != nil {
Expand All @@ -380,17 +383,15 @@ func ParsePublicKeyPEM(data []byte) (interface{}, error) {
}
}

if rsaPublicKey, ok := rawKey.(*rsa.PublicKey); ok {
return rsaPublicKey, nil
}
if ecPublicKey, ok := rawKey.(*ecdsa.PublicKey); ok {
return ecPublicKey, nil
}
if edPublicKey, ok := rawKey.(ed25519.PublicKey); ok {
return edPublicKey, nil
switch key := rawKey.(type) {
case *rsa.PublicKey:
return key, nil
case *ecdsa.PublicKey:
return key, nil
case ed25519.PublicKey:
return key, nil
}
}

return nil, errors.New("data does not contain any valid public keys")
}

Expand Down
4 changes: 2 additions & 2 deletions sdk/logical/translate_response.go
View file
Open in desktop
Expand Up @@ -134,8 +134,8 @@ func (h HTTPSysInjector) MarshalJSON() ([]byte, error) {
}
// Marshaling a response will always be a JSON object, meaning it will
// always start with '{', so we hijack this to prepend necessary values
// Make a guess at the capacity, and write the object opener
buf := bytes.NewBuffer(make([]byte, 0, len(j)*2))

var buf bytes.Buffer
buf.WriteRune('{')
for k, v := range h.Response.Data {
// Marshal each key/value individually
Expand Down
2 changes: 1 addition & 1 deletion vault/auth.go
View file
Open in desktop
Expand Up @@ -817,7 +817,7 @@ func (c *Core) newCredentialBackend(ctx context.Context, entry *MountEntry, sysV
}

// Set up conf to pass in plugin_name
conf := make(map[string]string, len(entry.Options)+1)
conf := make(map[string]string)
for k, v := range entry.Options {
conf[k] = v
}
Expand Down
8 changes: 6 additions & 2 deletions vault/barrier_aes_gcm.go
View file
Open in desktop
Expand Up @@ -10,6 +10,7 @@ import (
"errors"
"fmt"
"io"
"math"
"strconv"
"strings"
"sync"
Expand Down Expand Up @@ -959,10 +960,13 @@ func (b *AESGCMBarrier) aeadFromKey(key []byte) (cipher.AEAD, error) {
func (b *AESGCMBarrier) encrypt(path string, term uint32, gcm cipher.AEAD, plain []byte) ([]byte, error) {
// Allocate the output buffer with room for tern, version byte,
// nonce, GCM tag and the plaintext
capacity := termSize + 1 + gcm.NonceSize() + gcm.Overhead() + len(plain)
if capacity < 0 {

extra := termSize + 1 + gcm.NonceSize() + gcm.Overhead()
if len(plain) > math.MaxInt-extra {
return nil, ErrPlaintextTooLarge
}

capacity := len(plain) + extra
size := termSize + 1 + gcm.NonceSize()
out := make([]byte, size, capacity)

Expand Down
2 changes: 1 addition & 1 deletion vault/identity_store_oidc.go
View file
Open in desktop
Expand Up @@ -1700,7 +1700,7 @@ func (i *IdentityStore) expireOIDCPublicKeys(ctx context.Context, s logical.Stor
return now, err
}

usedKeys := make([]string, 0, 2*len(namedKeys))
usedKeys := make([]string, 0)

for _, k := range namedKeys {
entry, err := s.Get(ctx, namedKeyConfigPath+k)
Expand Down
2 changes: 1 addition & 1 deletion vault/mount.go
View file
Open in desktop
Expand Up @@ -1374,7 +1374,7 @@ func (c *Core) newLogicalBackend(ctx context.Context, entry *MountEntry, sysView
}

// Set up conf to pass in plugin_name
conf := make(map[string]string, len(entry.Options)+1)
conf := make(map[string]string)
for k, v := range entry.Options {
conf[k] = v
}
Expand Down