Resolving vulnerabilities detected by Checkmarx: (#195)

* Resolving vulnerabilities detected by Checkmarx:

* Denial_Of_Service_Resource_Exhaustion in configuration.go line 123

* SSRF in client.go line 221

* Vulnerability configuration.go

* Golang lint fixes.

Author: tsunez

.circleci/config.yml

@@ -197,7 +197,7 @@ jobs:
           name: Publish GitHub release
           command: |
             VERSION=$(./bin/cx version)
-            VERSION="2.0.0_RC7"
+            VERSION="2.0.0_RC8"
             ghr -t ${GITHUB_TOKEN} -u ${CIRCLE_PROJECT_USERNAME} -r ${CIRCLE_PROJECT_REPONAME} -c ${CIRCLE_SHA1} -delete ${VERSION} ./bin/
       - save_cache: # Store cache in the /go/pkg directory
           key: go-mod-v1-{{ checksum "go.sum" }}

internal/commands/configuration.go

@@ -30,7 +30,7 @@ func NewConfigCommand() *cobra.Command {
 
 	setCmd := &cobra.Command{
 		Use:   "set",
-		Short: "Sets one of the configuration properties (cx_apikey, cx_base_uri, cx_base_auth_uri cx_ast_client_id, cx_ast_client_secret, cx_http_proxy)",
+		Short: "Set configuration property (cx_apikey, cx_base_uri, cx_base_auth_uri cx_ast_client_id, cx_ast_client_secret, cx_http_proxy)",
 		RunE:  runSetValue(),
 	}
 	scanCmd.AddCommand(storValCmd, setCmd)

internal/commands/root.go

@@ -126,8 +126,8 @@ func NewAstCLI(
 	scanCmd := NewScanCommand(scansWrapper, uploadsWrapper)
 	projectCmd := NewProjectCommand(projectsWrapper)
 	resultCmd := NewResultCommand(resultsWrapper)
-	// Disable BFL until results are ready in AST.
-	//bflCmd := NewBFLCommand(bflWrapper)
+	// Disable BFL until ready in AST.
+	// bflCmd := NewBFLCommand(bflWrapper)
 	versionCmd := NewVersionCommand()
 	authCmd := NewAuthCommand(authWrapper)
 	utilsCmd := NewUtilsCommand(healthCheckWrapper, ssiWrapper, rmWrapper, logsWrapper, queriesWrapper, uploadsWrapper)
@@ -137,7 +137,7 @@ func NewAstCLI(
 		projectCmd,
 		resultCmd,
 		versionCmd,
-		//bflCmd,
+		// bflCmd,
 		authCmd,
 		utilsCmd,
 		configCmd,

internal/commands/utils.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"log"
 	"os"
 
 	"github.com/checkmarxDev/ast-cli/internal/wrappers"
@@ -23,9 +24,7 @@ func NewUtilsCommand(healthCheckWrapper wrappers.HealthCheckWrapper,
 	rmCmd := NewSastResourcesCommand(rmWrapper)
 	queriesCmd := NewQueryCommand(queriesWrapper, uploadsWrapper)
 	logsCmd := NewLogsCommand(logsWrapper)
-	//
-	/// Complete command
-	//
+
 	var completionCmd = &cobra.Command{
 		Use:   "completion [bash|zsh|fish|powershell]",
 		Short: "Generate completion script",
@@ -72,15 +71,19 @@ func NewUtilsCommand(healthCheckWrapper wrappers.HealthCheckWrapper,
 		ValidArgs:             []string{"bash", "zsh", "fish", "powershell"},
 		Args:                  cobra.ExactValidArgs(1),
 		Run: func(cmd *cobra.Command, args []string) {
+			var err error
 			switch args[0] {
 			case "bash":
-				cmd.Root().GenBashCompletion(os.Stdout)
+				err = cmd.Root().GenBashCompletion(os.Stdout)
 			case "zsh":
-				cmd.Root().GenZshCompletion(os.Stdout)
+				err = cmd.Root().GenZshCompletion(os.Stdout)
 			case "fish":
-				cmd.Root().GenFishCompletion(os.Stdout, true)
+				err = cmd.Root().GenFishCompletion(os.Stdout, true)
 			case "powershell":
-				cmd.Root().GenPowerShellCompletion(os.Stdout)
+				err = cmd.Root().GenPowerShellCompletion(os.Stdout)
+			}
+			if err != nil {
+				log.Fatal(err)
 			}
 		},
 	}

internal/params/flags.go

@@ -37,5 +37,5 @@ const (
 )
 
 const (
-	Version = "2.0.0_RC7"
+	Version = "2.0.0_RC8"
 )

internal/wrappers/client.go

@@ -4,7 +4,6 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"hash/fnv"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -41,8 +40,6 @@ type ClientCredentialsError struct {
 	Description string `json:"error_description"`
 }
 
-type credentialsCache map[uint64]*string
-
 const failedToAuth = "Failed to authenticate - please provide an %s"
 
 var usingProxyMsgDisplayed = false
@@ -84,7 +81,7 @@ func SendHTTPRequestByFullURL(method, fullURL string, body io.Reader, auth bool,
 		return nil, err
 	}
 	if auth {
-		req, err = enrichWithOath2Credentials(req)
+		err = enrichWithOath2Credentials(req)
 		if err != nil {
 			return nil, err
 		}
@@ -107,7 +104,7 @@ func SendHTTPRequestPasswordAuth(method, path string, body io.Reader, timeout ui
 		return nil, err
 	}
 	req.Header.Add("content-type", "application/json")
-	req, err = enrichWithPasswordCredentials(req, username, password, adminClientID, adminClientSecret)
+	err = enrichWithPasswordCredentials(req, username, password, adminClientID, adminClientSecret)
 	if err != nil {
 		return nil, err
 	}
@@ -146,7 +143,7 @@ func SendHTTPRequestWithQueryParams(method, path string, params map[string]strin
 		q.Add(k, v)
 	}
 	req.URL.RawQuery = q.Encode()
-	req, err = enrichWithOath2Credentials(req)
+	err = enrichWithOath2Credentials(req)
 	if err != nil {
 		return nil, err
 	}
@@ -160,7 +157,6 @@ func SendHTTPRequestWithQueryParams(method, path string, params map[string]strin
 
 func getAuthURI() (string, error) {
 	authPath := viper.GetString(commonParams.AstAuthenticationPathConfigKey)
-	// authPath := "CX_AST_AUTHENTICATION_PATH"
 	if authPath == "" {
 		return "", errors.Errorf(fmt.Sprintf(failedToAuth, "authentication path"))
 	}
@@ -178,49 +174,49 @@ func getAuthURI() (string, error) {
 	return authURI, nil
 }
 
-func enrichWithOath2Credentials(request *http.Request) (*http.Request, error) {
+func enrichWithOath2Credentials(request *http.Request) error {
 	authURI, err := getAuthURI()
 	if err != nil {
-		return nil, err
+		return err
 	}
 
 	accessKeyID := viper.GetString(commonParams.AccessKeyIDConfigKey)
 	accessKeySecret := viper.GetString(commonParams.AccessKeySecretConfigKey)
 	astAPIKey := viper.GetString(commonParams.AstAPIKey)
 
 	if accessKeyID == "" && astAPIKey == "" {
-		return nil, errors.Errorf(fmt.Sprintf(failedToAuth, "access key ID"))
+		return errors.Errorf(fmt.Sprintf(failedToAuth, "access key ID"))
 	} else if accessKeySecret == "" && astAPIKey == "" {
-		return nil, errors.Errorf(fmt.Sprintf(failedToAuth, "access key secret"))
+		return errors.Errorf(fmt.Sprintf(failedToAuth, "access key secret"))
 	} else if astAPIKey == "" && accessKeyID == "" && accessKeySecret == "" {
 		fmt.Println("API Key not found!")
-		return nil, errors.Errorf(fmt.Sprintf(failedToAuth, "access API Key"))
+		return errors.Errorf(fmt.Sprintf(failedToAuth, "access API Key"))
 	}
 
 	accessToken, err := getClientCredentials(accessKeyID, accessKeySecret, astAPIKey, authURI)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to authenticate")
+		return errors.Wrap(err, "failed to authenticate")
 	}
 
 	request.Header.Add("Authorization", *accessToken)
-	return request, nil
+	return nil
 }
 
 func enrichWithPasswordCredentials(request *http.Request, username, password,
-	adminClientID, adminClientSecret string) (*http.Request, error) {
+	adminClientID, adminClientSecret string) error {
 	authURI, err := getAuthURI()
 	if err != nil {
-		return nil, err
+		return err
 	}
 
 	accessToken, err := getNewToken(getPasswordCredentialsPayload(username, password, adminClientID, adminClientSecret), authURI)
 	if err != nil {
-		return nil, errors.Wrap(errors.Wrap(err, "failed to get access token from auth server"),
+		return errors.Wrap(errors.Wrap(err, "failed to get access token from auth server"),
 			"failed to authenticate")
 	}
 
 	request.Header.Add("Authorization", "Bearer "+*accessToken)
-	return request, nil
+	return nil
 }
 
 func getClientCredentials(accessKeyID, accessKeySecret, astAPKey, authURI string) (*string, error) {
@@ -305,9 +301,3 @@ func getPasswordCredentialsPayload(username, password, adminClientID, adminClien
 	return fmt.Sprintf("scope=openid&grant_type=password&username=%s&password=%s"+
 		"&client_id=%s&client_secret=%s", username, password, adminClientID, adminClientSecret)
 }
-
-func hash(s string) (uint64, error) {
-	h := fnv.New64()
-	_, err := h.Write([]byte(s))
-	return h.Sum64(), err
-}

internal/wrappers/configuration.go

@@ -2,6 +2,7 @@ package wrappers
 
 import (
 	"bufio"
+	"flag"
 	"fmt"
 	"log"
 	"os"
@@ -92,7 +93,8 @@ func SetConfigProperty(propName, propValue string) {
 }
 
 func LoadConfiguration() {
-	profile := findProfile()
+	profile := flag.String("profile", defaultProfileName, "Profile to load")
+	flag.Parse()
 	usr, err := user.Current()
 	if err != nil {
 		log.Fatal("Cannot file home directory.", err)
@@ -101,10 +103,11 @@ func LoadConfiguration() {
 	verifyConfigDir(fullPath)
 	viper.AddConfigPath(fullPath)
 	configFile := "checkmarxcli"
-	if profile != defaultProfileName {
+	if *profile != defaultProfileName {
 		configFile += "_"
-		configFile += profile
+		configFile += *profile
 	}
+	fmt.Println("using config file: ", configFile)
 	viper.SetConfigName(configFile)
 	viper.SetConfigType("yaml")
 	_ = viper.ReadInConfig()
@@ -121,20 +124,6 @@ func verifyConfigDir(fullPath string) {
 	}
 }
 
-func findProfile() string {
-	profileName := defaultProfileName
-	for idx, b := range os.Args {
-		if b == "--profile" {
-			profileIdx := idx + 1
-			if len(os.Args) > profileIdx {
-				profileName = os.Args[profileIdx]
-				fmt.Println("Using custom profile: ", profileName)
-			}
-		}
-	}
-	return profileName
-}
-
 func ShowConfiguration() {
 	fmt.Println("Current Effective Configuration")