From 92dda0d55a82f1ad180205e716c67f7c890448ff Mon Sep 17 00:00:00 2001 From: William Elwood Date: Wed, 10 Jun 2020 12:10:51 +0100 Subject: [PATCH 1/5] Fix unit tests on Win10 (attempt 2) Thanks to @lifenjoiner for testing! Windows 10 behaves even more unexpectedly. After it parses the "ip:port" string as a hostname, it attempts to upgrade from http to https by appending `:443` and parsing that new URL again. This seems to happen concurrently with the doomed DNS lookup and we see the error from whichever fails first. --- dnscrypt-proxy/sources_test.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/dnscrypt-proxy/sources_test.go b/dnscrypt-proxy/sources_test.go index 0c9847ad..98b953d9 100644 --- a/dnscrypt-proxy/sources_test.go +++ b/dnscrypt-proxy/sources_test.go @@ -308,8 +308,9 @@ func prepSourceTestDownload(t *testing.T, d *SourceTestData, e *SourceTestExpect case TestStateReadErr, TestStateReadSigErr: e.err = "unexpected EOF" case TestStateOpenErr, TestStateOpenSigErr: - path = "00000" + path // high numeric port is parsed but then fails to connect - e.err = "invalid port|no such host" + path = "00000" + path // high numeric port should be parsed but then fail to connect + // Win10 treats an invalid port as part of the hostname, then tries DNS lookup and magic http->https upgrades simultaneously + e.err = "invalid port|no such host|too many colons in address" case TestStatePathErr: path = "..." + path // non-numeric port fails URL parsing } From f4d519092b4050a42fa3ec6060461dc1ac47f3eb Mon Sep 17 00:00:00 2001 From: Frank Denis <124872+jedisct1@users.noreply.github.com> Date: Wed, 10 Jun 2020 20:24:41 +0200 Subject: [PATCH 2/5] sources_test: set bit 16 of the port instead of adding zeros (#1358) Ok @welwood08 --- dnscrypt-proxy/sources_test.go | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/dnscrypt-proxy/sources_test.go b/dnscrypt-proxy/sources_test.go index 98b953d9..8e738b6f 100644 --- a/dnscrypt-proxy/sources_test.go +++ b/dnscrypt-proxy/sources_test.go @@ -2,6 +2,7 @@ package main import ( "bytes" + "fmt" "io/ioutil" "net/http" "net/http/httptest" @@ -300,6 +301,7 @@ func prepSourceTestDownload(t *testing.T, d *SourceTestData, e *SourceTestExpect } for _, state := range downloadTest { path := "/" + strconv.FormatUint(uint64(state), 10) + "/" + source + serverURL := d.server.URL switch state { case TestStateMissing, TestStateMissingSig: e.err = "404 Not Found" @@ -308,16 +310,20 @@ func prepSourceTestDownload(t *testing.T, d *SourceTestData, e *SourceTestExpect case TestStateReadErr, TestStateReadSigErr: e.err = "unexpected EOF" case TestStateOpenErr, TestStateOpenSigErr: - path = "00000" + path // high numeric port should be parsed but then fail to connect + if u, err := url.Parse(serverURL + path); err == nil { + host, port := ExtractHostAndPort(u.Host, -1) + u.Host = fmt.Sprintf("%s:%d", host, port|0x10000) + serverURL = u.String() + } // Win10 treats an invalid port as part of the hostname, then tries DNS lookup and magic http->https upgrades simultaneously e.err = "invalid port|no such host|too many colons in address" case TestStatePathErr: path = "..." + path // non-numeric port fails URL parsing } - if u, err := url.Parse(d.server.URL + path); err == nil { + if u, err := url.Parse(serverURL + path); err == nil { e.Source.urls = append(e.Source.urls, u) } - e.urls = append(e.urls, d.server.URL+path) + e.urls = append(e.urls, serverURL+path) if e.success { continue } From 2018945fdf22d4f0586fe1031cd85f6ed37cfce9 Mon Sep 17 00:00:00 2001 From: William Elwood Date: Wed, 10 Jun 2020 19:43:32 +0100 Subject: [PATCH 3/5] Revert "Fix unit tests on Win10 (attempts 1 and 2)" This reverts commit 92dda0d55a82f1ad180205e716c67f7c890448ff. This reverts commit 5a1fdc8cd698e36979cfbe62c4d95893363864ee. --- dnscrypt-proxy/sources_test.go | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dnscrypt-proxy/sources_test.go b/dnscrypt-proxy/sources_test.go index 8e738b6f..7a8bd898 100644 --- a/dnscrypt-proxy/sources_test.go +++ b/dnscrypt-proxy/sources_test.go @@ -312,11 +312,10 @@ func prepSourceTestDownload(t *testing.T, d *SourceTestData, e *SourceTestExpect case TestStateOpenErr, TestStateOpenSigErr: if u, err := url.Parse(serverURL + path); err == nil { host, port := ExtractHostAndPort(u.Host, -1) - u.Host = fmt.Sprintf("%s:%d", host, port|0x10000) + u.Host = fmt.Sprintf("%s:%d", host, port|0x10000) // high numeric port is parsed but then fails to connect serverURL = u.String() } - // Win10 treats an invalid port as part of the hostname, then tries DNS lookup and magic http->https upgrades simultaneously - e.err = "invalid port|no such host|too many colons in address" + e.err = "invalid port" case TestStatePathErr: path = "..." + path // non-numeric port fails URL parsing } From 8a99b3ed939e571b9d5599066fca724bfc9a81b9 Mon Sep 17 00:00:00 2001 From: Frank Denis <124872+jedisct1@users.noreply.github.com> Date: Thu, 11 Jun 2020 10:53:45 +0200 Subject: [PATCH 4/5] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 51 +++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..1540e3ca --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,51 @@ +name: "Code scanning - action" + +on: + push: + pull_request: + schedule: + - cron: '0 15 * * 0' + +jobs: + CodeQL-Build: + + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + # Override language selection by uncommenting this and choosing your languages + # with: + # languages: go, javascript, csharp, python, cpp, java + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 0fd0a1a93993779c801e3c1a3d236fdb1c3f608d Mon Sep 17 00:00:00 2001 From: Frank Denis <124872+jedisct1@users.noreply.github.com> Date: Thu, 11 Jun 2020 10:55:08 +0200 Subject: [PATCH 5/5] Create shiftleft-analysis.yml --- .github/workflows/shiftleft-analysis.yml | 35 ++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/shiftleft-analysis.yml diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml new file mode 100644 index 00000000..1be55534 --- /dev/null +++ b/.github/workflows/shiftleft-analysis.yml @@ -0,0 +1,35 @@ +# This workflow integrates ShiftLeft Scan with GitHub's code scanning feature +# ShiftLeft Scan is a free open-source security tool for modern DevOps teams +# Visit https://slscan.io/en/latest/integrations/github-actions/ for help +name: ShiftLeft Scan + +# This section configures the trigger for the workflow. Feel free to customize depending on your convention +on: push + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke ShiftLeft Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform ShiftLeft Scan + uses: ShiftLeftSecurity/scan-action@master + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports