Merge pull request #45 from 0xPolygon/mardizzone/POS-2822

[WIP] POS-2822: sec fixes

.github/workflows/ci.yml

@@ -20,7 +20,7 @@ jobs:
       GOPRIVATE : github.com/0xPolygon/heimdall-v2
       GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Install Go
         uses: actions/setup-go@v5

.github/workflows/codeql.yml

@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Install Go
         uses: actions/setup-go@v5

.github/workflows/govulncheck.yml

@@ -0,0 +1,24 @@
+# TODO HV2: remove GIT_TERMINAL_PROMPT, GOPRIVATE and GH_ACCESS_TOKEN vars once heimdall-v2 is a public repo
+name: Govuln
+on: [ push, pull_request ]
+
+jobs:
+  govulncheck:
+    name: Run govulncheck
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.6"
+          check-latest: true
+      - uses: actions/checkout@v4
+      - uses: technote-space/get-diff-action@v6
+        with:
+          PATTERNS: |
+            **/*.go
+            go.mod
+            go.sum
+            Makefile
+      - name: govulncheck
+        run: make vulncheck
+        if: "env.GIT_DIFF != ''"

.golangci.yml

@@ -1,23 +1,13 @@
 run:
   tests: true
   timeout: 15m
-  sort-results: true
   allow-parallel-runners: true
-  exclude-dir: testutil/testdata
-  skip-files:
-    - server/grpc/gogoreflection/fix_registration.go
-    - "fix_registration.go"
-    - "x/bank/migrations/v4/gen_state_test.go"
-    - ".*\\.pb\\.go$"
-    - ".*\\.pb\\.gw\\.go$"
-    - ".*\\.pulsar\\.go$"
 
 linters:
   disable-all: true
   enable:
-    - depguard
     - dogsled
-    - exportloopref
+    - copyloopvar
     - goconst
     - gocritic
     - gci
@@ -28,7 +18,6 @@ linters:
     - ineffassign
     - misspell
     - nakedret
-    - nolintlint
     - staticcheck
     - revive
     - stylecheck
@@ -37,6 +26,16 @@ linters:
     - unused
 
 issues:
+  exclude-files:
+    - server/grpc/gogoreflection/fix_registration.go
+    - "fix_registration.go"
+    - "x/bank/migrations/v4/gen_state_test.go"
+    - ".*\\.pb\\.go$"
+    - ".*\\.pb\\.gw\\.go$"
+    - ".*\\.pulsar\\.go$"
+    - ".*_test\\.go"
+  exclude-dirs:
+    - testutil/testdata
   exclude-rules:
     - text: "Use of weak random number generator"
       linters:

Makefile

@@ -372,7 +372,7 @@ benchmark:
 ###                                Linting                                  ###
 ###############################################################################
 
-golangci_version=v1.51.2
+golangci_version=v1.63.4
 
 lint-install:
 	@echo "--> Installing golangci-lint $(golangci_version)"

api/go.mod

@@ -13,9 +13,9 @@ require (
 require (
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
-	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/sys v0.16.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240123012728-ef4313101c80 // indirect
 )

api/go.sum

@@ -6,12 +6,12 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
-golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
 google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80/go.mod h1:cc8bqMqtv9gMOr0zHg2Vzff5ULhhL2IXP4sbcn32Dro=
 google.golang.org/genproto/googleapis/api v0.0.0-20240123012728-ef4313101c80 h1:Lj5rbfG876hIAYFjqiJnPHfhXbv+nzTWfm04Fg/XSVU=

baseapp/abci.go

@@ -201,7 +201,7 @@ func (app *BaseApp) Query(_ context.Context, req *abci.RequestQuery) (resp *abci
 }
 
 // ListSnapshots implements the ABCI interface. It delegates to app.snapshotManager if set.
-func (app *BaseApp) ListSnapshots(req *abci.RequestListSnapshots) (*abci.ResponseListSnapshots, error) {
+func (app *BaseApp) ListSnapshots(_ *abci.RequestListSnapshots) (*abci.ResponseListSnapshots, error) {
 	resp := &abci.ResponseListSnapshots{Snapshots: []*abci.Snapshot{}}
 	if app.snapshotManager == nil {
 		return resp, nil

baseapp/abci_utils.go

@@ -4,15 +4,15 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"slices" //nolint: gci // ignore this line for this linter
+	"slices"
 
 	"github.com/cockroachdb/errors"
 	abci "github.com/cometbft/cometbft/abci/types"
 	cryptoenc "github.com/cometbft/cometbft/crypto/encoding"
 	cmtprotocrypto "github.com/cometbft/cometbft/proto/tendermint/crypto"
 	cmtproto "github.com/cometbft/cometbft/proto/tendermint/types"
 	protoio "github.com/cosmos/gogoproto/io"
-	"github.com/cosmos/gogoproto/proto" //nolint: gci // ignore this line for this linter
+	"github.com/cosmos/gogoproto/proto"
 
 	"cosmossdk.io/core/comet"
 

client/debug/main.go

@@ -64,7 +64,7 @@ func getCodecInterfaces() *cobra.Command {
 		Use:   "list-interfaces",
 		Short: "List all registered interface type URLs",
 		Long:  "List all registered interface type URLs using the application codec",
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			clientCtx := client.GetClientContextFromCmd(cmd)
 			iFaces := clientCtx.Codec.InterfaceRegistry().ListAllInterfaces()
 			for _, iFace := range iFaces {
@@ -329,7 +329,7 @@ func PrefixesCmd() *cobra.Command {
 		Short:   "List prefixes used for Human-Readable Part (HRP) in hex",
 		Long:    "List prefixes used in Bech32 addresses.",
 		Example: fmt.Sprintf("$ %s debug prefixes", version.AppName),
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			cmd.Printf("Hex Acc: %s\n", "")
 			cmd.Printf("Hex Val: %s\n", "")
 			cmd.Printf("Hex Con: %s\n", "")

client/input/input_test.go

@@ -34,7 +34,7 @@ func TestReadLineFromBuf(t *testing.T) {
 	})
 
 	t.Run("it returns EOF if reader has been exhausted", func(t *testing.T) {
-		fr.fnc = func(p []byte) (int, error) {
+		fr.fnc = func(_ []byte) (int, error) {
 			return 0, io.EOF
 		}
 		buf := bufio.NewReader(fr)

client/keys/add.go

@@ -94,7 +94,7 @@ Example:
 	f.String(flagMnemonicSrc, "", "Import mnemonic from a file (only usable when recover or interactive is passed)")
 
 	// support old flags name for backwards compatibility
-	f.SetNormalizeFunc(func(f *pflag.FlagSet, name string) pflag.NormalizedName {
+	f.SetNormalizeFunc(func(_ *pflag.FlagSet, name string) pflag.NormalizedName {
 		if name == flags.FlagKeyAlgorithm {
 			name = flags.FlagKeyType
 		}

client/keys/list.go

@@ -56,7 +56,7 @@ func ListKeyTypesCmd() *cobra.Command {
 		Use:   "list-key-types",
 		Short: "List all key types",
 		Long:  `Return a list of all supported key types (also known as algos)`,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			clientCtx, err := client.GetClientQueryContext(cmd)
 			if err != nil {
 				return err

client/keys/mnemonic.go

@@ -23,7 +23,7 @@ func MnemonicKeyCommand() *cobra.Command {
 		Use:   "mnemonic",
 		Short: "Compute the bip39 mnemonic for some input entropy",
 		Long:  "Create a bip39 mnemonic, sometimes called a seed phrase, by reading from the system entropy. To pass your own entropy, use --unsafe-entropy",
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			var entropySeed []byte
 
 			if userEntropy, _ := cmd.Flags().GetBool(flagUserEntropy); userEntropy {

client/keys/parse.go

@@ -33,7 +33,7 @@ type bech32Output struct {
 	Formats []string `json:"formats"`
 }
 
-func newBech32Output(config *sdk.Config, bs []byte) bech32Output {
+func newBech32Output(_ *sdk.Config, bs []byte) bech32Output {
 	out := bech32Output{Formats: make([]string, 1)}
 	bech32Addr, err := bech32.ConvertAndEncode("", bs)
 	if err != nil {

client/keys/types.go

@@ -42,8 +42,8 @@ type UpdateKeyReq struct {
 }
 
 // NewUpdateKeyReq constructs a new UpdateKeyReq structure.
-func NewUpdateKeyReq(old, new string) UpdateKeyReq {
-	return UpdateKeyReq{OldPassword: old, NewPassword: new}
+func NewUpdateKeyReq(old, n string) UpdateKeyReq {
+	return UpdateKeyReq{OldPassword: old, NewPassword: n}
 }
 
 // DeleteKeyReq requests deleting a key

client/snapshot/export.go

@@ -15,7 +15,7 @@ func ExportSnapshotCmd(appCreator servertypes.AppCreator) *cobra.Command {
 		Use:   "export",
 		Short: "Export app state to snapshot store",
 		Args:  cobra.NoArgs,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			ctx := server.GetServerContextFromCmd(cmd)
 
 			height, err := cmd.Flags().GetInt64("height")

client/snapshot/list.go

@@ -12,7 +12,7 @@ import (
 var ListSnapshotsCmd = &cobra.Command{
 	Use:   "list",
 	Short: "List local snapshots",
-	RunE: func(cmd *cobra.Command, args []string) error {
+	RunE: func(cmd *cobra.Command, _ []string) error {
 		ctx := server.GetServerContextFromCmd(cmd)
 		snapshotStore, err := server.GetSnapshotStore(ctx.Viper)
 		if err != nil {

client/tx/factory.go

@@ -3,6 +3,7 @@ package tx
 import (
 	"errors"
 	"fmt"
+	"math/big"
 	"os"
 	"strings"
 
@@ -311,7 +312,9 @@ func (f Factory) BuildUnsignedTx(msgs ...sdk.Msg) (client.TxBuilder, error) {
 			return nil, errors.New("cannot provide both fees and gas prices")
 		}
 
-		glDec := math.LegacyNewDec(int64(f.gas))
+		// f.gas is a uint64 and we should convert to LegacyDec
+		// without the risk of under/overflow via uint64->int64.
+		glDec := math.LegacyNewDecFromBigInt(new(big.Int).SetUint64(f.gas))
 
 		// Derive the fees based on the provided gas prices, where
 		// fee = ceil(gasPrice * gasLimit).

client/v2/autocli/flag/pubkey.go

@@ -45,12 +45,12 @@ func (a *pubkeyValue) Set(s string) error {
 		return fmt.Errorf("input isn't a pubkey: %w", err)
 	}
 
-	any, err := types.NewAnyWithValue(pk)
+	an, err := types.NewAnyWithValue(pk)
 	if err != nil {
 		return fmt.Errorf("error converting to any type")
 	}
 
-	a.value = any
+	a.value = an
 
 	return nil
 }

client/v2/autocli/keyring/keyring.go

@@ -1,8 +1,6 @@
 package keyring
 
 import (
-	"context"
-
 	signingv1beta1 "cosmossdk.io/api/cosmos/tx/signing/v1beta1"
 
 	"github.com/cosmos/cosmos-sdk/crypto/types"
@@ -18,11 +16,6 @@ type KeyringImpl struct { //nolint:revive // stuttering is fine
 	k Keyring
 }
 
-// NewKeyringInContext returns a new context with the keyring set.
-func NewKeyringInContext(ctx context.Context, k Keyring) context.Context {
-	return context.WithValue(ctx, KeyringContextKey, NewKeyringImpl(k))
-}
-
 func NewKeyringImpl(k Keyring) *KeyringImpl {
 	return &KeyringImpl{k: k}
 }

client/v2/autocli/keyring/no_keyring.go

@@ -18,14 +18,14 @@ func (k NoKeyring) List() ([]string, error) {
 	return nil, errNoKeyring
 }
 
-func (k NoKeyring) LookupAddressByKeyName(name string) ([]byte, error) {
+func (k NoKeyring) LookupAddressByKeyName(_ string) ([]byte, error) {
 	return nil, errNoKeyring
 }
 
-func (k NoKeyring) GetPubKey(name string) (cryptotypes.PubKey, error) {
+func (k NoKeyring) GetPubKey(_ string) (cryptotypes.PubKey, error) {
 	return nil, errNoKeyring
 }
 
-func (k NoKeyring) Sign(name string, msg []byte, signMode signingv1beta1.SignMode) ([]byte, error) {
+func (k NoKeyring) Sign(_ string, _ []byte, _ signingv1beta1.SignMode) ([]byte, error) {
 	return nil, errNoKeyring
 }

client/v2/autocli/query.go

@@ -114,7 +114,7 @@ func (b *Builder) AddQueryServiceCommands(cmd *cobra.Command, cmdDescriptor *aut
 
 // BuildQueryMethodCommand creates a gRPC query command for the given service method. This can be used to auto-generate
 // just a single command for a single service rpc method.
-func (b *Builder) BuildQueryMethodCommand(ctx context.Context, descriptor protoreflect.MethodDescriptor, options *autocliv1.RpcCommandOptions) (*cobra.Command, error) {
+func (b *Builder) BuildQueryMethodCommand(_ context.Context, descriptor protoreflect.MethodDescriptor, options *autocliv1.RpcCommandOptions) (*cobra.Command, error) {
 	getClientConn := b.GetClientConn
 	serviceDescriptor := descriptor.Parent().(protoreflect.ServiceDescriptor)
 	methodName := fmt.Sprintf("/%s/%s", serviceDescriptor.FullName(), descriptor.Name())