fix: address cosmos-gosec lint issues

.github/workflows/sast-linters.yml

@@ -56,9 +56,10 @@ jobs:
       #   uses:  ./.github/actions/install-dependencies
 
       - name: Run Cosmos Gosec Security Scanner
-        uses: cosmos/gosec@master
-        with:
-          args: './... -include=G701,G703,G704' # Disabled G702 as it doesn't seem to be relevant 2023-09-14
+        run: make lint-cosmos-gosec
+#        uses: cosmos/gosec@master
+#        with:
+#          args: '-include=G701,G703,G704 ./...' # Disabled G702 as it doesn't seem to be relevant 2023-09-14
 
 
   git-guardian:

Makefile

@@ -152,6 +152,9 @@ lint-pre:
 lint: lint-pre
 	@golangci-lint run
 
+lint-cosmos-gosec:
+	@bash ./scripts/cosmos-gosec.sh
+
 proto:
 	@echo "--> Removing old Go types "
 	@find . -name '*.pb.go' -type f -delete

app/ante/ante.go

@@ -120,7 +120,10 @@ func NewAnteHandler(options ethante.HandlerOptions) (sdk.AnteHandler, error) {
 
 func Recover(logger tmlog.Logger, err *error) {
 	if r := recover(); r != nil {
-		*err = errorsmod.Wrapf(errortypes.ErrPanic, "%v", r)
+		if err != nil {
+			// #nosec G703 err is checked non-nil above
+			*err = errorsmod.Wrapf(errortypes.ErrPanic, "%v", r)
+		}
 
 		if e, ok := r.(error); ok {
 			logger.Error(

app/export.go

@@ -111,14 +111,23 @@ func (app *App) prepForZeroHeightGenesis(ctx sdk.Context, jailAllowedAddrs []str
 		feePool.CommunityPool = feePool.CommunityPool.Add(scraps...)
 		app.DistrKeeper.SetFeePool(ctx, feePool)
 
-		_ = app.DistrKeeper.Hooks().AfterValidatorCreated(ctx, val.GetOperator())
+		err := app.DistrKeeper.Hooks().AfterValidatorCreated(ctx, val.GetOperator())
+		if err != nil {
+			panic(err)
+		}
 		return false
 	})
 
 	// reinitialize all delegations
 	for _, del := range dels {
-		_ = app.DistrKeeper.Hooks().BeforeDelegationCreated(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
-		_ = app.DistrKeeper.Hooks().AfterDelegationModified(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
+		err := app.DistrKeeper.Hooks().BeforeDelegationCreated(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
+		if err != nil {
+			panic(err)
+		}
+		err = app.DistrKeeper.Hooks().AfterDelegationModified(ctx, del.GetDelegatorAddr(), del.GetValidatorAddr())
+		if err != nil {
+			panic(err)
+		}
 	}
 
 	// reset context height

cmd/zetaclientd/init.go

@@ -56,7 +56,10 @@ func init() {
 }
 
 func Initialize(_ *cobra.Command, _ []string) error {
-	setHomeDir()
+	err := setHomeDir()
+	if err != nil {
+		return err
+	}
 
 	//Create new config struct
 	configData := config.New()

cmd/zetaclientd/p2p_diagnostics.go

@@ -124,7 +124,11 @@ func RunDiagnostics(startLogger zerolog.Logger, peers p2p.AddrList, bridgePk cry
 
 	var wg sync.WaitGroup
 	for _, peerAddr := range peers {
-		peerinfo, _ := peer.AddrInfoFromP2pAddr(peerAddr)
+		peerinfo, err := peer.AddrInfoFromP2pAddr(peerAddr)
+		if err != nil {
+			startLogger.Error().Err(err).Msgf("fail to parse peer address %s", peerAddr)
+			continue
+		}
 		wg.Add(1)
 		go func() {
 			defer wg.Done()

cmd/zetaclientd/root.go

@@ -15,6 +15,8 @@ type rootArguments struct {
 	zetaCoreHome string
 }
 
-func setHomeDir() {
-	rootArgs.zetaCoreHome, _ = RootCmd.Flags().GetString(tmcli.HomeFlag)
+func setHomeDir() error {
+	var err error
+	rootArgs.zetaCoreHome, err = RootCmd.Flags().GetString(tmcli.HomeFlag)
+	return err
 }

cmd/zetaclientd/start.go

@@ -39,8 +39,13 @@ func init() {
 }
 
 func start(_ *cobra.Command, _ []string) error {
-	setHomeDir()
+	err := setHomeDir()
+	if err != nil {
+		return err
+	}
+
 	SetupConfigForTest()
+
 	//Load Config file given path
 	cfg, err := config.Load(rootArgs.zetaCoreHome)
 	if err != nil {
@@ -213,7 +218,11 @@ func start(_ *cobra.Command, _ []string) error {
 		return err
 	}
 
-	userDir, _ := os.UserHomeDir()
+	userDir, err := os.UserHomeDir()
+	if err != nil {
+		log.Error().Err(err).Msg("os.UserHomeDir")
+		return err
+	}
 	dbpath := filepath.Join(userDir, ".zetaclient/chainobserver")
 
 	// CreateChainClientMap : This creates a map of all chain clients . Each chain client is responsible for listening to events on the chain and processing them

cmd/zetacore_utils/main.go

@@ -34,14 +34,23 @@ type TokenDistribution struct {
 }
 
 func main() {
-	file, _ := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "address-list.json"))
+	file, err := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "address-list.json"))
+	if err != nil {
+		panic(err)
+	}
 	addresses, err := readLines(file)
 	if err != nil {
 		panic(err)
 	}
 	addresses = removeDuplicates(addresses)
-	fileS, _ := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "successful_address.json"))
-	fileF, _ := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "failed_address.json"))
+	fileS, err := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "successful_address.json"))
+	if err != nil {
+		panic(err)
+	}
+	fileF, err := filepath.Abs(filepath.Join("cmd", "zetacore_utils", "failed_address.json"))
+	if err != nil {
+		panic(err)
+	}
 
 	distributionList := make([]TokenDistribution, len(addresses))
 	for i, address := range addresses {
@@ -111,11 +120,22 @@ func main() {
 			failedDistributions = append(failedDistributions, distribution)
 		}
 	}
-	successFile, _ := json.MarshalIndent(successfullDistributions, "", " ")
-	_ = os.WriteFile(fileS, successFile, 0600)
-	failedFile, _ := json.MarshalIndent(failedDistributions, "", " ")
-	_ = os.WriteFile(fileF, failedFile, 0600)
-
+	successFile, err := json.MarshalIndent(successfullDistributions, "", " ")
+	if err != nil {
+		panic(err)
+	}
+	err = os.WriteFile(fileS, successFile, 0600)
+	if err != nil {
+		panic(err)
+	}
+	failedFile, err := json.MarshalIndent(failedDistributions, "", " ")
+	if err != nil {
+		panic(err)
+	}
+	err = os.WriteFile(fileF, failedFile, 0600)
+	if err != nil {
+		panic(err)
+	}
 }
 
 func readLines(path string) ([]string, error) {

cmd/zetacored/collect_observer_info.go

@@ -46,8 +46,14 @@ func CollectObserverInfoCmd() *cobra.Command {
 				}
 				observerInfoList = append(observerInfoList, observerInfo)
 			}
-			file, _ := json.MarshalIndent(observerInfoList, "", " ")
-			_ = os.WriteFile("observer_info.json", file, 0600)
+			file, err := json.MarshalIndent(observerInfoList, "", " ")
+			if err != nil {
+				return err
+			}
+			err = os.WriteFile("observer_info.json", file, 0600)
+			if err != nil {
+				return err
+			}
 			return nil
 		},
 	}

cmd/zetacored/parsers.go

@@ -20,7 +20,10 @@ type ObserverInfoReader struct {
 }
 
 func (o ObserverInfoReader) String() string {
-	s, _ := json.MarshalIndent(o, "", "\t")
+	s, err := json.MarshalIndent(o, "", "\t")
+	if err != nil {
+		return ""
+	}
 	return string(s)
 }
 

common/ethereum/proof.go

@@ -103,7 +103,11 @@ func (m *Proof) Get(key []byte) ([]byte, error) {
 // Typically, the rootHash is from a trusted source (e.g. a trusted block header),
 // and the key is the index of the transaction in the block.
 func (m *Proof) Verify(rootHash common.Hash, key int) ([]byte, error) {
+	if key < 0 {
+		return nil, errors.New("key not found")
+	}
 	var indexBuf []byte
+	// #nosec G701 range is valid
 	indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(key))
 	return trie.VerifyProof(rootHash, indexBuf, m)
 }
@@ -126,7 +130,11 @@ func encodeForDerive(list types.DerivableList, i int, buf *bytes.Buffer) []byte
 }
 
 func (t *Trie) GenerateProof(txIndex int) (*Proof, error) {
+	if txIndex < 0 {
+		return nil, errors.New("transaction index out of range")
+	}
 	var indexBuf []byte
+	// #nosec G701 checked as non-negative
 	indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(txIndex))
 	proof := NewProof()
 	err := t.Prove(indexBuf, 0, proof)
@@ -150,6 +158,7 @@ func NewTrie(list types.DerivableList) Trie {
 	// order is correct.
 	var indexBuf []byte
 	for i := 1; i < list.Len() && i <= 0x7f; i++ {
+		// #nosec G701 iterator
 		indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(i))
 		value := encodeForDerive(list, i, valueBuf)
 		hasher.Update(indexBuf, value)
@@ -160,6 +169,7 @@ func NewTrie(list types.DerivableList) Trie {
 		hasher.Update(indexBuf, value)
 	}
 	for i := 0x80; i < list.Len(); i++ {
+		// #nosec G701 iterator
 		indexBuf = rlp.AppendUint64(indexBuf[:0], uint64(i))
 		value := encodeForDerive(list, i, valueBuf)
 		hasher.Update(indexBuf, value)

contrib/localnet/orchestrator/smoketest/test_deposit_eth.go

@@ -6,11 +6,12 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/zeta-chain/zetacore/common/ethereum"
-	observertypes "github.com/zeta-chain/zetacore/x/observer/types"
 	"math/big"
 	"time"
 
+	"github.com/zeta-chain/zetacore/common/ethereum"
+	observertypes "github.com/zeta-chain/zetacore/x/observer/types"
+
 	"github.com/ethereum/go-ethereum/accounts/abi/bind"
 	ethcommon "github.com/ethereum/go-ethereum/common"
 	ethtypes "github.com/ethereum/go-ethereum/core/types"

contrib/localnet/orchestrator/smoketest/utils.go

@@ -8,11 +8,12 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
-	rpchttp "github.com/tendermint/tendermint/rpc/client/http"
-	coretypes "github.com/tendermint/tendermint/rpc/core/types"
 	"sync"
 	"time"
 
+	rpchttp "github.com/tendermint/tendermint/rpc/client/http"
+	coretypes "github.com/tendermint/tendermint/rpc/core/types"
+
 	"github.com/ethereum/go-ethereum"
 
 	"github.com/btcsuite/btcd/chaincfg"

contrib/rpctest/main.go

@@ -51,10 +51,15 @@ func main() {
 	fmt.Printf("Start testing the zEVM ETH JSON-RPC for all txs...\n")
 	fmt.Printf("Test1: simple gas voter tx\n")
 
-	bn, err := strconv.Atoi(os.Args[1])
+	bn, err := strconv.ParseInt(os.Args[1], 10, 64)
 	if err != nil {
 		panic(err)
 	}
+	if bn < 0 {
+		panic("Block number must be non-negative")
+	}
+	// #nosec G701 check as positive
+	bnUint64 := uint64(bn)
 
 	if false {
 		// THIS WOULD NOT WORK: see https://github.com/zeta-chain/zeta-node/pull/445
@@ -64,7 +69,7 @@ func main() {
 			panic(err)
 		}
 
-		block, err := zevmClient.BlockByNumber(context.Background(), big.NewInt(int64(bn)))
+		block, err := zevmClient.BlockByNumber(context.Background(), big.NewInt(bn))
 		if err != nil {
 			panic(err)
 		}
@@ -76,7 +81,7 @@ func main() {
 		Endpoint:   "http://localhost:8545",
 		HTTPClient: &http.Client{},
 	}
-	resp := client.EthGetBlockByNumber(uint64(bn), false)
+	resp := client.EthGetBlockByNumber(bnUint64, false)
 	var jsonObject map[string]interface{}
 	if resp.Error != nil {
 		fmt.Printf("Error: %s (code %d)\n", resp.Error.Message, resp.Error.Code)
@@ -118,7 +123,7 @@ func main() {
 	// HeaderByHash works; BlockByHash does not work;
 	// main offending RPC is the transaction type; we have custom type id 56
 	// which is not recognized by the go-ethereum client.
-	blockHeader, err := zevmClient.HeaderByNumber(context.Background(), big.NewInt(int64(bn)))
+	blockHeader, err := zevmClient.HeaderByNumber(context.Background(), big.NewInt(bn))
 	if err != nil {
 		panic(err)
 	}
@@ -209,9 +214,9 @@ func main() {
 		panic(err)
 	}
 	fmt.Printf("Gas price: %s\n", gas.String())
-	toBlock := uint64(bn)
+	toBlock := bnUint64
 	gasPriceIter, err := sys.FilterSetGasPrice(&bind.FilterOpts{
-		Start: uint64(bn),
+		Start: bnUint64,
 		End:   &toBlock,
 	})
 	if err != nil {

rpc/backend/account_info.go

@@ -77,6 +77,7 @@ func (b *Backend) GetProof(address common.Address, storageKeys []string, blockNr
 			return nil, fmt.Errorf("not able to query block number greater than MaxInt64")
 		}
 
+		// #nosec G701 range checked
 		height = int64(bn)
 	}
 
@@ -194,8 +195,13 @@ func (b *Backend) GetTransactionCount(address common.Address, blockNum rpctypes.
 	if err != nil {
 		return &n, err
 	}
+	if bn > math.MaxInt64 {
+		return nil, fmt.Errorf("not able to query block number greater than MaxInt64")
+	}
 	height := blockNum.Int64()
+	// #nosec G701 range checked
 	currentHeight := int64(bn)
+
 	if height > currentHeight {
 		return &n, errorsmod.Wrapf(
 			sdkerrors.ErrInvalidHeight,