From 4a173732f37dd72a64711e8549e3064f9abc0a04 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 22 Feb 2024 08:23:53 +0100 Subject: [PATCH] tests/csdiff: help csdiff to find the correct key event The 2nd event is a key event in the following finding from Coverity: ``` Error: SOCKET_ACCEPT_ALL_ORIGINS (CWE-942): grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "function anonymous%1" always returns "true". grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "Upgrader.CheckOrigin()" always returns "true" to accept requests from all origins. grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: Modify the "Upgrader.CheckOrigin()" function to only return "true" for trusted origins, or remove the function completely since the default "Upgrader" will only create "WebSocket" connections with clients from the same origin. ``` Related: https://issues.redhat.com/browse/OSH-552 Closes: https://github.com/csutils/csdiff/pull/165 --- tests/csdiff/diff-misc/19-cov-parser-key-event-add-z.err | 9 --------- tests/csdiff/diff-misc/19-cov-parser-key-event-add.err | 9 --------- tests/csdiff/diff-misc/19-cov-parser-key-event-fix-z.err | 9 --------- tests/csdiff/diff-misc/19-cov-parser-key-event-fix.err | 9 --------- tests/csdiff/diff-misc/19-cov-parser-key-event-new.err | 2 +- 5 files changed, 1 insertion(+), 37 deletions(-) diff --git a/tests/csdiff/diff-misc/19-cov-parser-key-event-add-z.err b/tests/csdiff/diff-misc/19-cov-parser-key-event-add-z.err index f1759495..e69de29b 100644 --- a/tests/csdiff/diff-misc/19-cov-parser-key-event-add-z.err +++ b/tests/csdiff/diff-misc/19-cov-parser-key-event-add-z.err @@ -1,9 +0,0 @@ -Error: SOCKET_ACCEPT_ALL_ORIGINS (CWE-942): -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "function anonymous%1" always returns "true". -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "Upgrader.CheckOrigin()" always returns "true" to accept requests from all origins. -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: Modify the "Upgrader.CheckOrigin()" function to only return "true" for trusted origins, or remove the function completely since the default "Upgrader" will only create "WebSocket" connections with clients from the same origin. -# 300| // don't return errors to maintain backwards compatibility -# 301| } -# 302|-> u.CheckOrigin = func(r *http.Request) bool { -# 303| // allow all connections by default -# 304| return true diff --git a/tests/csdiff/diff-misc/19-cov-parser-key-event-add.err b/tests/csdiff/diff-misc/19-cov-parser-key-event-add.err index f1759495..e69de29b 100644 --- a/tests/csdiff/diff-misc/19-cov-parser-key-event-add.err +++ b/tests/csdiff/diff-misc/19-cov-parser-key-event-add.err @@ -1,9 +0,0 @@ -Error: SOCKET_ACCEPT_ALL_ORIGINS (CWE-942): -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "function anonymous%1" always returns "true". -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "Upgrader.CheckOrigin()" always returns "true" to accept requests from all origins. -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: Modify the "Upgrader.CheckOrigin()" function to only return "true" for trusted origins, or remove the function completely since the default "Upgrader" will only create "WebSocket" connections with clients from the same origin. -# 300| // don't return errors to maintain backwards compatibility -# 301| } -# 302|-> u.CheckOrigin = func(r *http.Request) bool { -# 303| // allow all connections by default -# 304| return true diff --git a/tests/csdiff/diff-misc/19-cov-parser-key-event-fix-z.err b/tests/csdiff/diff-misc/19-cov-parser-key-event-fix-z.err index f1759495..e69de29b 100644 --- a/tests/csdiff/diff-misc/19-cov-parser-key-event-fix-z.err +++ b/tests/csdiff/diff-misc/19-cov-parser-key-event-fix-z.err @@ -1,9 +0,0 @@ -Error: SOCKET_ACCEPT_ALL_ORIGINS (CWE-942): -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "function anonymous%1" always returns "true". -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "Upgrader.CheckOrigin()" always returns "true" to accept requests from all origins. -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: Modify the "Upgrader.CheckOrigin()" function to only return "true" for trusted origins, or remove the function completely since the default "Upgrader" will only create "WebSocket" connections with clients from the same origin. -# 300| // don't return errors to maintain backwards compatibility -# 301| } -# 302|-> u.CheckOrigin = func(r *http.Request) bool { -# 303| // allow all connections by default -# 304| return true diff --git a/tests/csdiff/diff-misc/19-cov-parser-key-event-fix.err b/tests/csdiff/diff-misc/19-cov-parser-key-event-fix.err index f1759495..e69de29b 100644 --- a/tests/csdiff/diff-misc/19-cov-parser-key-event-fix.err +++ b/tests/csdiff/diff-misc/19-cov-parser-key-event-fix.err @@ -1,9 +0,0 @@ -Error: SOCKET_ACCEPT_ALL_ORIGINS (CWE-942): -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "function anonymous%1" always returns "true". -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "Upgrader.CheckOrigin()" always returns "true" to accept requests from all origins. -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: Modify the "Upgrader.CheckOrigin()" function to only return "true" for trusted origins, or remove the function completely since the default "Upgrader" will only create "WebSocket" connections with clients from the same origin. -# 300| // don't return errors to maintain backwards compatibility -# 301| } -# 302|-> u.CheckOrigin = func(r *http.Request) bool { -# 303| // allow all connections by default -# 304| return true diff --git a/tests/csdiff/diff-misc/19-cov-parser-key-event-new.err b/tests/csdiff/diff-misc/19-cov-parser-key-event-new.err index 985fd256..4442c09d 100644 --- a/tests/csdiff/diff-misc/19-cov-parser-key-event-new.err +++ b/tests/csdiff/diff-misc/19-cov-parser-key-event-new.err @@ -2811,7 +2811,7 @@ grafana-9.2.10/vendor/github.com/gorilla/websocket/compression.go:36: null_metho # 38| } Error: SOCKET_ACCEPT_ALL_ORIGINS (CWE-942): -grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "function anonymous%1" always returns "true". +# XXX: help csdiff to find the correct key event -- grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "function anonymous%1" always returns "true". grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: The function "Upgrader.CheckOrigin()" always returns "true" to accept requests from all origins. grafana-9.2.10/vendor/github.com/gorilla/websocket/server.go:302: go_socketio_all_origins: Modify the "Upgrader.CheckOrigin()" function to only return "true" for trusted origins, or remove the function completely since the default "Upgrader" will only create "WebSocket" connections with clients from the same origin. # 300| // don't return errors to maintain backwards compatibility