From 3c3c1001bb09c38a16724dc80bac759789012525 Mon Sep 17 00:00:00 2001
From: Miguel Caballer <micafer1@upv.es>
Date: Mon, 25 Nov 2024 14:15:08 +0100
Subject: [PATCH] Fix security issues

---
 pkg/imagepuller/daemonset.go    |  7 +++++--
 pkg/resourcemanager/delegate.go | 15 +++++++++------
 pkg/types/storage.go            |  2 +-
 pkg/utils/minio.go              |  2 +-
 4 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/pkg/imagepuller/daemonset.go b/pkg/imagepuller/daemonset.go
index 7d5a6f9f..6795e065 100644
--- a/pkg/imagepuller/daemonset.go
+++ b/pkg/imagepuller/daemonset.go
@@ -21,9 +21,10 @@ package imagepuller
 import (
 	//"k8s.io/apimachinery/pkg/watch"
 	"context"
+	"crypto/rand"
 	"fmt"
 	"log"
-	"math/rand"
+	"math/big"
 	"os"
 	"sync"
 	"time"
@@ -191,7 +192,9 @@ func setWorkingNodes(kubeClientset kubernetes.Interface) error {
 func generatePodGroupName() string {
 	b := make([]byte, lengthStr)
 	for i := range b {
-		b[i] = letterBytes[rand.Intn(len(letterBytes))]
+		max := big.NewInt(int64(len(letterBytes)))
+		randomNumber, _ := rand.Int(rand.Reader, max)
+		b[i] = letterBytes[randomNumber.Int64()]
 	}
 	return "pod-group-" + string(b)
 }
diff --git a/pkg/resourcemanager/delegate.go b/pkg/resourcemanager/delegate.go
index dfa5a225..014df265 100644
--- a/pkg/resourcemanager/delegate.go
+++ b/pkg/resourcemanager/delegate.go
@@ -18,11 +18,12 @@ package resourcemanager
 
 import (
 	"bytes"
+	"crypto/rand"
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
 	"log"
-	"math/rand"
+	"math/big"
 	"net/http"
 	"net/url"
 	"path"
@@ -131,7 +132,7 @@ func DelegateJob(service *types.Service, event string, logger *log.Logger) error
 			// Make HTTP client
 			var transport http.RoundTripper = &http.Transport{
 				// Enable/disable SSL verification
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: !cluster.SSLVerify},
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: !cluster.SSLVerify}, // #nosec
 			}
 			client := &http.Client{
 				Transport: transport,
@@ -193,7 +194,7 @@ func DelegateJob(service *types.Service, event string, logger *log.Logger) error
 			// Make HTTP client
 			var transport http.RoundTripper = &http.Transport{
 				// Enable/disable SSL verification
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: !replica.SSLVerify},
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: !replica.SSLVerify}, // #nosec
 			}
 			client := &http.Client{
 				Transport: transport,
@@ -269,7 +270,7 @@ func updateServiceToken(replica types.Replica, cluster types.Cluster) (string, e
 	// Make HTTP client
 	var transport http.RoundTripper = &http.Transport{
 		// Enable/disable SSL verification
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: !cluster.SSLVerify},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: !cluster.SSLVerify}, // #nosec
 	}
 	client := &http.Client{
 		Transport: transport,
@@ -344,7 +345,7 @@ func getClusterStatus(service *types.Service) {
 			// Make HTTP client
 			var transport http.RoundTripper = &http.Transport{
 				// Enable/disable SSL verification
-				TLSClientConfig: &tls.Config{InsecureSkipVerify: !cluster.SSLVerify},
+				TLSClientConfig: &tls.Config{InsecureSkipVerify: !cluster.SSLVerify}, // #nosec
 			}
 			client := &http.Client{
 				Transport: transport,
@@ -395,7 +396,9 @@ func getClusterStatus(service *types.Service) {
 				if dist >= 0 {
 					fmt.Println("Resources available in ClusterID", replica.ClusterID)
 					if service.Delegation == "random" {
-						randPriority := rand.Intn(noDelegateCode)
+						max := big.NewInt(int64(noDelegateCode))
+						randomNumber, _ := rand.Int(rand.Reader, max)
+						randPriority := randomNumber.Int64()
 						replica.Priority = uint(randPriority)
 						fmt.Println("Priority ", replica.Priority, " with ", service.Delegation, " delegation")
 					} else if service.Delegation == "load-based" {
diff --git a/pkg/types/storage.go b/pkg/types/storage.go
index f2671da9..05fc22bc 100644
--- a/pkg/types/storage.go
+++ b/pkg/types/storage.go
@@ -122,7 +122,7 @@ func (minIOProvider MinIOProvider) GetS3Client() *s3.S3 {
 	// Disable tls verification in client transport if Verify == false
 	if !minIOProvider.Verify {
 		tr := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec
 		}
 		s3MinIOConfig.HTTPClient = &http.Client{Transport: tr}
 	}
diff --git a/pkg/utils/minio.go b/pkg/utils/minio.go
index 8a71b6e7..22d2a6c2 100644
--- a/pkg/utils/minio.go
+++ b/pkg/utils/minio.go
@@ -80,7 +80,7 @@ func MakeMinIOAdminClient(cfg *types.Config) (*MinIOAdminClient, error) {
 	// Disable tls verification in client transport if verify == false
 	if !cfg.MinIOProvider.Verify {
 		tr := &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec
 		}
 		adminClient.SetCustomTransport(tr)
 	}