search

caarlos0 / go-gumroad

Easily check licenses against Gumroad's API.
https://pkg.go.dev/github.com/caarlos0/go-gumroad
MIT License
19 stars 5 forks source link

HTTPS hardening #1

Closed MrGossett closed 2 years ago

MrGossett commented 2 years ago

in 6a7108d0: parallelize tests

- ok   github.com/caarlos0/go-gumroad 0.889s
+ ok   github.com/caarlos0/go-gumroad 0.284s

also, correct a typo: "expacted" -> "expected"

in 1ca932ca: add generate_cert.go and generated testdata/*.pem

generate_cert.go was copied from stdlib's src/crypto/tls/generate_cert.go and modified so that it can generate both self-signed certificates and certificates signed by a parent.

generate_cert.go was run (go run generate_cert.go) with -host 127.0.0.1,::1 so that certificates are valid for the IPv4 and IPv6 localhost addresses.

A self-signed CA certificate was generated with the additional flags -ca self -duration 87600h -rsa-bits 4096 -out testdata/ca.pem, specifying a self-signed certificate valid for 10 years, using a 4096-bit RSA keypair, written to testdata/ca.pem.

A leaf certificate was generated with the additional flags -ca testdata/ca.pem -ecdsa-curve P256 -out testdata/mitm.pem specifying a server certificate signed by the CA certificate in testdata/ca.pem, using the NIST P-256 elliptic curve for an ECDSA keypair, and writing the certificate to testdata/mitm.pem.

in ace36030: http.DefaultClient -> gumroad.client

doCheck called http.PostForm, which delegates to http.DefaultClient, a generic HTTP client that has no specific security hardening. Instead, a package-local *http.Client is provided, using a new package-local transport as its http.RoundTripper. transport mimics http.DefaultTransport, except that transport.TLSClientConfig is a custom *tls.Config with an explicit certificate pool. The certificate pool is captured in certPool, which contains the system certificate root trust ring available at build time.

TestMITM is added in main_test.go to validate intended behavior.

gitguardian[bot] commented 2 years ago

⚠️ GitGuardian has uncovered 2 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request
| GitGuardian id | Secret | Commit | Filename | | | -------------- | ------------------------- | ---------------- | --------------- | -------------------- | | [-](https://dashboard.gitguardian.com/incidents/secrets) | Generic Private Key | 1ca932cab0a170a0e2b5b70481bd4d6cf81a87af | testdata/ca.pem | [View secret](https://github.com/caarlos0/go-gumroad/commit/1ca932cab0a170a0e2b5b70481bd4d6cf81a87af#diff-811697ce4e761746dc467e6bfd0c9938L31) | | [-](https://dashboard.gitguardian.com/incidents/secrets) | Generic Private Key | 1ca932cab0a170a0e2b5b70481bd4d6cf81a87af | testdata/mitm.pem | [View secret](https://github.com/caarlos0/go-gumroad/commit/1ca932cab0a170a0e2b5b70481bd4d6cf81a87af#diff-85b3f95dde7dfa99aa984ff5af78fa7fL21) |
🛠 Guidelines to remediate hardcoded secrets
1. Understand the implications of revoking this secret by investigating where it is used in your code. 2. Replace and store your secrets safely. [Learn here](https://blog.gitguardian.com/secrets-api-management?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment) the best practices. 3. Revoke and [rotate these secrets](https://docs.gitguardian.com/secrets-detection/detectors/specifics/private_key_generic#revoke-the-secret?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment). 4. If possible, [rewrite git history](https://blog.gitguardian.com/rewriting-git-history-cheatsheet?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment). Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data. To avoid such incidents in the future consider - following these [best practices](https://blog.gitguardian.com/secrets-api-management/?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment) for managing and storing secrets including API keys and other credentials - install [secret detection on pre-commit](https://docs.gitguardian.com/internal-repositories-monitoring/integrations/git_hooks/pre_commit?utm_source=product&utm_medium=GitHub_checks&utm_campaign=check_run_comment) to catch secret before it leaves your machine and ease remediation.

🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

Our GitHub checks need improvements? Share your feedbacks!

MrGossett commented 2 years ago

Perhaps GitGuardian should be deactivated for testdata/mitm.pem and testdata/ca.pem.

caarlos0 commented 2 years ago

thanks for the PR @MrGossett , LGTM :)