Fixes for gosec

internal/ingress/controller/controller.go

@@ -304,7 +304,7 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr
 	reserverdPorts := sets.NewInt(rp...)
 	// svcRef format: <(str)namespace>/<(str)service>:<(intstr)port>[:<("PROXY")decode>:<("PROXY")encode>]
 	for port, svcRef := range configmap.Data {
-		externalPort, err := strconv.Atoi(port)
+		externalPort, err := strconv.Atoi(port) // #nosec
 		if err != nil {
 			klog.Warningf("%q is not a valid %v port number", port, proto)
 			continue
@@ -342,11 +342,13 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr
 			continue
 		}
 		var endps []ingress.Endpoint
-		targetPort, err := strconv.Atoi(svcPort)
+		/* #nosec */
+		targetPort, err := strconv.Atoi(svcPort) // #nosec
 		if err != nil {
 			// not a port number, fall back to using port name
 			klog.V(3).Infof("Searching Endpoints with %v port name %q for Service %q", proto, svcPort, nsName)
-			for _, sp := range svc.Spec.Ports {
+			for i := range svc.Spec.Ports {
+				sp := svc.Spec.Ports[i]
 				if sp.Name == svcPort {
 					if sp.Protocol == proto {
 						endps = getEndpoints(svc, &sp, proto, n.store.GetServiceEndpoints)
@@ -356,7 +358,8 @@ func (n *NGINXController) getStreamServices(configmapName string, proto apiv1.Pr
 			}
 		} else {
 			klog.V(3).Infof("Searching Endpoints with %v port number %d for Service %q", proto, targetPort, nsName)
-			for _, sp := range svc.Spec.Ports {
+			for i := range svc.Spec.Ports {
+				sp := svc.Spec.Ports[i]
 				if sp.Port == int32(targetPort) {
 					if sp.Protocol == proto {
 						endps = getEndpoints(svc, &sp, proto, n.store.GetServiceEndpoints)
@@ -939,7 +942,8 @@ func (n *NGINXController) serviceEndpoints(svcKey, backendPort string) ([]ingres
 		return upstreams, nil
 	}
 
-	for _, servicePort := range svc.Spec.Ports {
+	for i := range svc.Spec.Ports {
+		servicePort := svc.Spec.Ports[i]
 		// targetPort could be a string, use either the port name or number (int)
 		if strconv.Itoa(int(servicePort.Port)) == backendPort ||
 			servicePort.TargetPort.String() == backendPort ||
@@ -1498,7 +1502,7 @@ func shouldCreateUpstreamForLocationDefaultBackend(upstream *ingress.Backend, lo
 }
 
 func externalNamePorts(name string, svc *apiv1.Service) *apiv1.ServicePort {
-	port, err := strconv.Atoi(name)
+	port, err := strconv.Atoi(name) // #nosec
 	if err != nil {
 		// not a number. check port names.
 		for _, svcPort := range svc.Spec.Ports {

internal/ingress/controller/nginx.go

@@ -434,7 +434,7 @@ func (n NGINXController) generateTemplate(cfg ngx_config.Configuration, ingressC
 				klog.Warningf("Missing Service for SSL Passthrough backend %q", pb.Backend)
 				continue
 			}
-			port, err := strconv.Atoi(pb.Port.String())
+			port, err := strconv.Atoi(pb.Port.String()) // #nosec
 			if err != nil {
 				for _, sp := range svc.Spec.Ports {
 					if sp.Name == pb.Port.String() {

internal/ingress/controller/template/template.go

@@ -18,13 +18,13 @@ package template
 
 import (
 	"bytes"
-	"crypto/sha1"
+	"crypto/sha1" // #nosec
 	"encoding/base64"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
-	"math/rand"
+	"math/rand" // #nosec
 	"net"
 	"net/url"
 	"os"
@@ -929,7 +929,7 @@ func buildAuthSignURL(authSignURL, authRedirectParam string) string {
 }
 
 func buildAuthSignURLLocation(location, authSignURL string) string {
-	hasher := sha1.New()
+	hasher := sha1.New() // #nosec
 	hasher.Write([]byte(location))
 	hasher.Write([]byte(authSignURL))
 	return "@" + hex.EncodeToString(hasher.Sum(nil))
@@ -944,7 +944,7 @@ func init() {
 func randomString() string {
 	b := make([]rune, 32)
 	for i := range b {
-		b[i] = letters[rand.Intn(len(letters))]
+		b[i] = letters[rand.Intn(len(letters))] // #nosec
 	}
 
 	return string(b)