Lint project
This commit is contained in:
JY Tan
@@ -38,7 +38,9 @@ func NewLinuxBridge(httpProxyPort, socksProxyPort int, debug bool) (*LinuxBridge
|
||||
}
|
||||
|
||||
id := make([]byte, 8)
|
||||
rand.Read(id)
|
||||
if _, err := rand.Read(id); err != nil {
|
||||
return nil, fmt.Errorf("failed to generate socket ID: %w", err)
|
||||
}
|
||||
socketID := hex.EncodeToString(id)
|
||||
|
||||
tmpDir := os.TempDir()
|
||||
@@ -56,7 +58,7 @@ func NewLinuxBridge(httpProxyPort, socksProxyPort int, debug bool) (*LinuxBridge
|
||||
fmt.Sprintf("UNIX-LISTEN:%s,fork,reuseaddr", httpSocketPath),
|
||||
fmt.Sprintf("TCP:localhost:%d", httpProxyPort),
|
||||
}
|
||||
bridge.httpProcess = exec.Command("socat", httpArgs...)
|
||||
bridge.httpProcess = exec.Command("socat", httpArgs...) //nolint:gosec // args constructed from trusted input
|
||||
if debug {
|
||||
fmt.Fprintf(os.Stderr, "[fence:linux] Starting HTTP bridge: socat %s\n", strings.Join(httpArgs, " "))
|
||||
}
|
||||
@@ -69,7 +71,7 @@ func NewLinuxBridge(httpProxyPort, socksProxyPort int, debug bool) (*LinuxBridge
|
||||
fmt.Sprintf("UNIX-LISTEN:%s,fork,reuseaddr", socksSocketPath),
|
||||
fmt.Sprintf("TCP:localhost:%d", socksProxyPort),
|
||||
}
|
||||
bridge.socksProcess = exec.Command("socat", socksArgs...)
|
||||
bridge.socksProcess = exec.Command("socat", socksArgs...) //nolint:gosec // args constructed from trusted input
|
||||
if debug {
|
||||
fmt.Fprintf(os.Stderr, "[fence:linux] Starting SOCKS bridge: socat %s\n", strings.Join(socksArgs, " "))
|
||||
}
|
||||
@@ -98,17 +100,17 @@ func NewLinuxBridge(httpProxyPort, socksProxyPort int, debug bool) (*LinuxBridge
|
||||
// Cleanup stops the bridge processes and removes socket files.
|
||||
func (b *LinuxBridge) Cleanup() {
|
||||
if b.httpProcess != nil && b.httpProcess.Process != nil {
|
||||
b.httpProcess.Process.Kill()
|
||||
b.httpProcess.Wait()
|
||||
_ = b.httpProcess.Process.Kill()
|
||||
_ = b.httpProcess.Wait()
|
||||
}
|
||||
if b.socksProcess != nil && b.socksProcess.Process != nil {
|
||||
b.socksProcess.Process.Kill()
|
||||
b.socksProcess.Wait()
|
||||
_ = b.socksProcess.Process.Kill()
|
||||
_ = b.socksProcess.Wait()
|
||||
}
|
||||
|
||||
// Clean up socket files
|
||||
os.Remove(b.HTTPSocketPath)
|
||||
os.Remove(b.SOCKSSocketPath)
|
||||
_ = os.Remove(b.HTTPSocketPath)
|
||||
_ = os.Remove(b.SOCKSSocketPath)
|
||||
|
||||
if b.debug {
|
||||
fmt.Fprintf(os.Stderr, "[fence:linux] Bridges cleaned up\n")
|
||||
@@ -127,7 +129,9 @@ func NewReverseBridge(ports []int, debug bool) (*ReverseBridge, error) {
|
||||
}
|
||||
|
||||
id := make([]byte, 8)
|
||||
rand.Read(id)
|
||||
if _, err := rand.Read(id); err != nil {
|
||||
return nil, fmt.Errorf("failed to generate socket ID: %w", err)
|
||||
}
|
||||
socketID := hex.EncodeToString(id)
|
||||
|
||||
tmpDir := os.TempDir()
|
||||
@@ -147,7 +151,7 @@ func NewReverseBridge(ports []int, debug bool) (*ReverseBridge, error) {
|
||||
fmt.Sprintf("TCP-LISTEN:%d,fork,reuseaddr", port),
|
||||
fmt.Sprintf("UNIX-CONNECT:%s,retry=50,interval=0.1", socketPath),
|
||||
}
|
||||
proc := exec.Command("socat", args...)
|
||||
proc := exec.Command("socat", args...) //nolint:gosec // args constructed from trusted input
|
||||
if debug {
|
||||
fmt.Fprintf(os.Stderr, "[fence:linux] Starting reverse bridge for port %d: socat %s\n", port, strings.Join(args, " "))
|
||||
}
|
||||
@@ -169,14 +173,14 @@ func NewReverseBridge(ports []int, debug bool) (*ReverseBridge, error) {
|
||||
func (b *ReverseBridge) Cleanup() {
|
||||
for _, proc := range b.processes {
|
||||
if proc != nil && proc.Process != nil {
|
||||
proc.Process.Kill()
|
||||
proc.Wait()
|
||||
_ = proc.Process.Kill()
|
||||
_ = proc.Wait()
|
||||
}
|
||||
}
|
||||
|
||||
// Clean up socket files
|
||||
for _, socketPath := range b.SocketPaths {
|
||||
os.Remove(socketPath)
|
||||
_ = os.Remove(socketPath)
|
||||
}
|
||||
|
||||
if b.debug {
|
||||
|
||||
@@ -18,7 +18,9 @@ var sessionSuffix = generateSessionSuffix()
|
||||
|
||||
func generateSessionSuffix() string {
|
||||
bytes := make([]byte, 8)
|
||||
rand.Read(bytes)
|
||||
if _, err := rand.Read(bytes); err != nil {
|
||||
panic("failed to generate session suffix: " + err.Error())
|
||||
}
|
||||
return "_" + hex.EncodeToString(bytes)[:9] + "_SBX"
|
||||
}
|
||||
|
||||
@@ -175,7 +177,10 @@ func generateWriteRules(allowPaths, denyPaths []string, allowGitConfig bool, log
|
||||
|
||||
// Combine user-specified and mandatory deny patterns
|
||||
cwd, _ := os.Getwd()
|
||||
allDenyPaths := append(denyPaths, GetMandatoryDenyPatterns(cwd, allowGitConfig)...)
|
||||
mandatoryDeny := GetMandatoryDenyPatterns(cwd, allowGitConfig)
|
||||
allDenyPaths := make([]string, 0, len(denyPaths)+len(mandatoryDeny))
|
||||
allDenyPaths = append(allDenyPaths, denyPaths...)
|
||||
allDenyPaths = append(allDenyPaths, mandatoryDeny...)
|
||||
|
||||
for _, pathPattern := range allDenyPaths {
|
||||
normalized := NormalizePath(pathPattern)
|
||||
|
||||
@@ -60,7 +60,7 @@ func (m *Manager) Initialize() error {
|
||||
m.socksProxy = proxy.NewSOCKSProxy(filter, m.debug, m.monitor)
|
||||
socksPort, err := m.socksProxy.Start()
|
||||
if err != nil {
|
||||
m.httpProxy.Stop()
|
||||
_ = m.httpProxy.Stop()
|
||||
return fmt.Errorf("failed to start SOCKS proxy: %w", err)
|
||||
}
|
||||
m.socksPort = socksPort
|
||||
@@ -69,8 +69,8 @@ func (m *Manager) Initialize() error {
|
||||
if platform.Detect() == platform.Linux {
|
||||
bridge, err := NewLinuxBridge(m.httpPort, m.socksPort, m.debug)
|
||||
if err != nil {
|
||||
m.httpProxy.Stop()
|
||||
m.socksProxy.Stop()
|
||||
_ = m.httpProxy.Stop()
|
||||
_ = m.socksProxy.Stop()
|
||||
return fmt.Errorf("failed to initialize Linux bridge: %w", err)
|
||||
}
|
||||
m.linuxBridge = bridge
|
||||
@@ -80,8 +80,8 @@ func (m *Manager) Initialize() error {
|
||||
reverseBridge, err := NewReverseBridge(m.exposedPorts, m.debug)
|
||||
if err != nil {
|
||||
m.linuxBridge.Cleanup()
|
||||
m.httpProxy.Stop()
|
||||
m.socksProxy.Stop()
|
||||
_ = m.httpProxy.Stop()
|
||||
_ = m.socksProxy.Stop()
|
||||
return fmt.Errorf("failed to initialize reverse bridge: %w", err)
|
||||
}
|
||||
m.reverseBridge = reverseBridge
|
||||
@@ -121,10 +121,10 @@ func (m *Manager) Cleanup() {
|
||||
m.linuxBridge.Cleanup()
|
||||
}
|
||||
if m.httpProxy != nil {
|
||||
m.httpProxy.Stop()
|
||||
_ = m.httpProxy.Stop()
|
||||
}
|
||||
if m.socksProxy != nil {
|
||||
m.socksProxy.Stop()
|
||||
_ = m.socksProxy.Stop()
|
||||
}
|
||||
m.logDebug("Sandbox manager cleaned up")
|
||||
}
|
||||
|
||||
@@ -94,8 +94,8 @@ func (m *LogMonitor) Stop() {
|
||||
}
|
||||
|
||||
if m.cmd != nil && m.cmd.Process != nil {
|
||||
m.cmd.Process.Kill()
|
||||
m.cmd.Wait()
|
||||
_ = m.cmd.Process.Kill()
|
||||
_ = m.cmd.Wait()
|
||||
}
|
||||
|
||||
m.running = false
|
||||
|
||||
@@ -26,14 +26,15 @@ func NormalizePath(pathPattern string) string {
|
||||
|
||||
normalized := pathPattern
|
||||
|
||||
// Expand ~ to home directory
|
||||
if pathPattern == "~" {
|
||||
// Expand ~ and relative paths
|
||||
switch {
|
||||
case pathPattern == "~":
|
||||
normalized = home
|
||||
} else if strings.HasPrefix(pathPattern, "~/") {
|
||||
case strings.HasPrefix(pathPattern, "~/"):
|
||||
normalized = filepath.Join(home, pathPattern[2:])
|
||||
} else if strings.HasPrefix(pathPattern, "./") || strings.HasPrefix(pathPattern, "../") {
|
||||
case strings.HasPrefix(pathPattern, "./"), strings.HasPrefix(pathPattern, "../"):
|
||||
normalized, _ = filepath.Abs(filepath.Join(cwd, pathPattern))
|
||||
} else if !filepath.IsAbs(pathPattern) && !ContainsGlobChars(pathPattern) {
|
||||
case !filepath.IsAbs(pathPattern) && !ContainsGlobChars(pathPattern):
|
||||
normalized, _ = filepath.Abs(filepath.Join(cwd, pathPattern))
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user