chore: Enable G301, G302 and G306 rules for gosec (influxdata#13022)

.golangci.yml

@@ -100,12 +100,23 @@ linters-settings:
       - G201
       - G202
       - G203
+      - G301
+      - G302
+      - G306
       - G401
       - G403
       - G501
       - G502
       - G503
       - G505
+    # To specify the configuration of rules.
+    config:
+      # Maximum allowed permissions mode for os.OpenFile and os.Chmod
+      # Default: "0600"
+      G302: "0640"
+      # Maximum allowed permissions mode for os.WriteFile and ioutil.WriteFile
+      # Default: "0600"
+      G306: "0640"
   lll:
     # Max line length, lines longer will be reported.
     # '\t' is counted as 1 character by default, and can be changed with the tab-width option.

cmd/telegraf/telegraf.go

@@ -347,7 +347,7 @@ func (t *Telegraf) runAgent(ctx context.Context, c *config.Config, reloadConfig
 	}
 
 	if t.pidFile != "" {
-		f, err := os.OpenFile(t.pidFile, os.O_CREATE|os.O_WRONLY, 0644)
+		f, err := os.OpenFile(t.pidFile, os.O_CREATE|os.O_WRONLY, 0640)
 		if err != nil {
 			log.Printf("E! Unable to create pidfile: %s", err)
 		} else {

internal/rotate/file_writer_test.go

@@ -6,7 +6,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
@@ -21,7 +20,7 @@ func TestFileWriter_NoRotation(t *testing.T) {
 	_, err = writer.Write([]byte("Hello World 2"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 1, len(files))
+	require.Equal(t, 1, len(files))
 }
 
 func TestFileWriter_TimeRotation(t *testing.T) {
@@ -37,22 +36,22 @@ func TestFileWriter_TimeRotation(t *testing.T) {
 	_, err = writer.Write([]byte("Hello World 2"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_ReopenTimeRotation(t *testing.T) {
 	tempDir := t.TempDir()
 	interval, _ := time.ParseDuration("10ms")
 	filePath := filepath.Join(tempDir, "test.log")
-	err := os.WriteFile(filePath, []byte("Hello World"), 0644)
+	err := os.WriteFile(filePath, []byte("Hello World"), 0640)
 	time.Sleep(interval)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	writer, err := NewFileWriter(filepath.Join(tempDir, "test.log"), interval, 0, -1)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, writer.Close()) })
 
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_SizeRotation(t *testing.T) {
@@ -67,23 +66,23 @@ func TestFileWriter_SizeRotation(t *testing.T) {
 	_, err = writer.Write([]byte("World 2"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_ReopenSizeRotation(t *testing.T) {
 	tempDir := t.TempDir()
 	maxSize := int64(12)
 	filePath := filepath.Join(tempDir, "test.log")
-	err := os.WriteFile(filePath, []byte("Hello World"), 0644)
-	assert.NoError(t, err)
+	err := os.WriteFile(filePath, []byte("Hello World"), 0640)
+	require.NoError(t, err)
 	writer, err := NewFileWriter(filepath.Join(tempDir, "test.log"), 0, maxSize, -1)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, writer.Close()) })
 
 	_, err = writer.Write([]byte("Hello World Again"))
 	require.NoError(t, err)
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 2, len(files))
+	require.Equal(t, 2, len(files))
 }
 
 func TestFileWriter_DeleteArchives(t *testing.T) {
@@ -110,7 +109,7 @@ func TestFileWriter_DeleteArchives(t *testing.T) {
 	require.NoError(t, err)
 
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 3, len(files))
+	require.Equal(t, 3, len(files))
 
 	for _, tempFile := range files {
 		var bytes []byte
@@ -137,6 +136,6 @@ func TestFileWriter_CloseDoesNotRotate(t *testing.T) {
 	require.NoError(t, writer.Close())
 
 	files, _ := os.ReadDir(tempDir)
-	assert.Equal(t, 1, len(files))
-	assert.Regexp(t, "^test.log$", files[0].Name())
+	require.Equal(t, 1, len(files))
+	require.Regexp(t, "^test.log$", files[0].Name())
 }

logger/logger_test.go

@@ -93,7 +93,7 @@ func TestWriteToTruncatedFile(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, f[19:], []byte("Z I! TEST\n"))
 
-	tmpf, err := os.OpenFile(tmpfile.Name(), os.O_RDWR|os.O_TRUNC, 0644)
+	tmpf, err := os.OpenFile(tmpfile.Name(), os.O_RDWR|os.O_TRUNC, 0640)
 	require.NoError(t, err)
 	require.NoError(t, tmpf.Close())
 

plugins/inputs/bcache/bcache_test.go

@@ -6,8 +6,9 @@ import (
 	"os"
 	"testing"
 
-	"github.com/influxdata/telegraf/testutil"
 	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/testutil"
 )
 
 const (
@@ -30,13 +31,13 @@ var (
 )
 
 func TestBcacheGeneratesMetrics(t *testing.T) {
-	err := os.MkdirAll(testBcacheUUIDPath, 0755)
+	err := os.MkdirAll(testBcacheUUIDPath, 0750)
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testBcacheDevPath, 0755)
+	err = os.MkdirAll(testBcacheDevPath, 0750)
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testBcacheBackingDevPath+"/bcache", 0755)
+	err = os.MkdirAll(testBcacheBackingDevPath+"/bcache", 0750)
 	require.NoError(t, err)
 
 	err = os.Symlink(testBcacheBackingDevPath+"/bcache", testBcacheUUIDPath+"/bdev0")
@@ -45,43 +46,34 @@ func TestBcacheGeneratesMetrics(t *testing.T) {
 	err = os.Symlink(testBcacheDevPath, testBcacheUUIDPath+"/bdev0/dev")
 	require.NoError(t, err)
 
-	err = os.MkdirAll(testBcacheUUIDPath+"/bdev0/stats_total", 0755)
+	err = os.MkdirAll(testBcacheUUIDPath+"/bdev0/stats_total", 0750)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/dirty_data",
-		[]byte(dirtyData), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/dirty_data", []byte(dirtyData), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/bypassed",
-		[]byte(bypassed), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/bypassed", []byte(bypassed), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_hits",
-		[]byte(cacheBypassHits), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_hits", []byte(cacheBypassHits), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_misses",
-		[]byte(cacheBypassMisses), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_bypass_misses", []byte(cacheBypassMisses), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hit_ratio",
-		[]byte(cacheHitRatio), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hit_ratio", []byte(cacheHitRatio), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hits",
-		[]byte(cacheHits), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_hits", []byte(cacheHits), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_miss_collisions",
-		[]byte(cacheMissCollisions), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_miss_collisions", []byte(cacheMissCollisions), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_misses",
-		[]byte(cacheMisses), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_misses", []byte(cacheMisses), 0640)
 	require.NoError(t, err)
 
-	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_readaheads",
-		[]byte(cacheReadaheads), 0644)
+	err = os.WriteFile(testBcacheUUIDPath+"/bdev0/stats_total/cache_readaheads", []byte(cacheReadaheads), 0640)
 	require.NoError(t, err)
 
 	fields := map[string]interface{}{

plugins/inputs/ceph/ceph_test.go

@@ -192,7 +192,7 @@ func createTestFiles(dir string, st *SockTest) error {
 	writeFile := func(prefix string, i int) error {
 		f := sockFile(prefix, i)
 		fpath := filepath.Join(dir, f)
-		return os.WriteFile(fpath, []byte(""), 0644)
+		return os.WriteFile(fpath, []byte(""), 0640)
 	}
 	return tstFileApply(st, writeFile)
 }

plugins/inputs/conntrack/conntrack_test.go

@@ -50,7 +50,7 @@ func TestDefaultsUsed(t *testing.T) {
 	dfltFiles = []string{fname}
 
 	count := 1234321
-	require.NoError(t, os.WriteFile(tmpFile.Name(), []byte(strconv.Itoa(count)), 0660))
+	require.NoError(t, os.WriteFile(tmpFile.Name(), []byte(strconv.Itoa(count)), 0640))
 	c := &Conntrack{}
 	require.NoError(t, c.Init())
 	acc := &testutil.Accumulator{}
@@ -80,8 +80,8 @@ func TestConfigsUsed(t *testing.T) {
 
 	count := 1234321
 	max := 9999999
-	require.NoError(t, os.WriteFile(cntFile.Name(), []byte(strconv.Itoa(count)), 0660))
-	require.NoError(t, os.WriteFile(maxFile.Name(), []byte(strconv.Itoa(max)), 0660))
+	require.NoError(t, os.WriteFile(cntFile.Name(), []byte(strconv.Itoa(count)), 0640))
+	require.NoError(t, os.WriteFile(maxFile.Name(), []byte(strconv.Itoa(max)), 0640))
 	c := &Conntrack{}
 	require.NoError(t, c.Init())
 	acc := &testutil.Accumulator{}

plugins/inputs/directory_monitor/directory_monitor.go

@@ -398,7 +398,7 @@ func (monitor *DirectoryMonitor) Init() error {
 
 	// Finished directory can be created if not exists for convenience.
 	if _, err := os.Stat(monitor.FinishedDirectory); os.IsNotExist(err) {
-		err = os.Mkdir(monitor.FinishedDirectory, 0755)
+		err = os.Mkdir(monitor.FinishedDirectory, 0750)
 		if err != nil {
 			return err
 		}
@@ -410,7 +410,7 @@ func (monitor *DirectoryMonitor) Init() error {
 	// If an error directory should be used but has not been configured yet, create one ourselves.
 	if monitor.ErrorDirectory != "" {
 		if _, err := os.Stat(monitor.ErrorDirectory); os.IsNotExist(err) {
-			err := os.Mkdir(monitor.ErrorDirectory, 0755)
+			err := os.Mkdir(monitor.ErrorDirectory, 0750)
 			if err != nil {
 				return err
 			}

plugins/inputs/directory_monitor/directory_monitor_test.go

@@ -77,7 +77,7 @@ func TestCSVGZImport(t *testing.T) {
 	require.NoError(t, err)
 	err = w.Close()
 	require.NoError(t, err)
-	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0666)
+	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0640)
 	require.NoError(t, err)
 
 	// Start plugin before adding file.
@@ -148,7 +148,7 @@ func TestCSVGZImportWithHeader(t *testing.T) {
 	require.NoError(t, err)
 	err = w.Close()
 	require.NoError(t, err)
-	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0666)
+	err = os.WriteFile(filepath.Join(processDirectory, testCsvGzFile), b.Bytes(), 0640)
 	require.NoError(t, err)
 
 	// Start plugin before adding file.
@@ -577,7 +577,7 @@ func TestParseSubdirectories(t *testing.T) {
 	err = f.Close()
 	require.NoError(t, err)
 
-	// Write json file to process into a subdirectory in the the 'process' directory.
+	// Write json file to process into a subdirectory in the 'process' directory.
 	err = os.Mkdir(filepath.Join(processDirectory, "sub"), os.ModePerm)
 	require.NoError(t, err)
 	f, err = os.Create(filepath.Join(processDirectory, "sub", testJSONFile))

plugins/inputs/linux_cpu/linux_cpu_test.go

@@ -3,11 +3,12 @@
 package linux_cpu
 
 import (
-	"github.com/influxdata/telegraf/testutil"
 	"os"
 	"testing"
 
 	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/testutil"
 )
 
 func TestNoMetrics(t *testing.T) {
@@ -43,14 +44,14 @@ func TestGatherCPUFreq(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0640))
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu1/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq", []byte("123\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_min_freq", []byte("80\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_max_freq", []byte("230\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_cur_freq", []byte("123\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_min_freq", []byte("80\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu1/cpufreq/scaling_max_freq", []byte("230\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},
@@ -91,9 +92,9 @@ func TestGatherThermal(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/thermal_throttle", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_count", []byte("250\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_max_time_ms", []byte("100\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_total_time_ms", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_count", []byte("250\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_max_time_ms", []byte("100\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/thermal_throttle/core_throttle_total_time_ms", []byte("255\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},
@@ -117,9 +118,9 @@ func TestGatherPropertyRemoved(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("250\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},
@@ -153,9 +154,9 @@ func TestGatherPropertyInvalid(t *testing.T) {
 	td := t.TempDir()
 
 	require.NoError(t, os.MkdirAll(td+"/devices/system/cpu/cpu0/cpufreq", os.ModePerm))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("ABC\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq", []byte("ABC\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_min_freq", []byte("100\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/devices/system/cpu/cpu0/cpufreq/scaling_max_freq", []byte("255\n"), 0640))
 
 	plugin := &LinuxCPU{
 		Log:       testutil.Logger{Name: "LinuxCPUPluginTest"},

plugins/inputs/linux_sysctl_fs/linux_sysctl_fs_test.go

@@ -4,19 +4,20 @@ import (
 	"os"
 	"testing"
 
-	"github.com/influxdata/telegraf/testutil"
 	"github.com/stretchr/testify/require"
+
+	"github.com/influxdata/telegraf/testutil"
 )
 
 func TestSysctlFSGather(t *testing.T) {
 	td := t.TempDir()
 
-	require.NoError(t, os.WriteFile(td+"/aio-nr", []byte("100\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/aio-max-nr", []byte("101\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/super-nr", []byte("102\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/super-max", []byte("103\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/file-nr", []byte("104\t0\t106\n"), 0644))
-	require.NoError(t, os.WriteFile(td+"/inode-state", []byte("107\t108\t109\t0\t0\t0\t0\n"), 0644))
+	require.NoError(t, os.WriteFile(td+"/aio-nr", []byte("100\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/aio-max-nr", []byte("101\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/super-nr", []byte("102\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/super-max", []byte("103\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/file-nr", []byte("104\t0\t106\n"), 0640))
+	require.NoError(t, os.WriteFile(td+"/inode-state", []byte("107\t108\t109\t0\t0\t0\t0\n"), 0640))
 
 	sfs := &SysctlFS{
 		path: td,

plugins/inputs/logparser/logparser_test.go

@@ -141,7 +141,7 @@ func TestGrokParseLogFilesAppearLater(t *testing.T) {
 	input, err := os.ReadFile(filepath.Join(testdataDir, "test_a.log"))
 	require.NoError(t, err)
 
-	err = os.WriteFile(filepath.Join(emptydir, "test_a.log"), input, 0644)
+	err = os.WriteFile(filepath.Join(emptydir, "test_a.log"), input, 0640)
 	require.NoError(t, err)
 
 	require.NoError(t, acc.GatherError(logparser.Gather))