linting (#89)

Author: unrolled

.golangci.yaml

@@ -2,4 +2,37 @@ run:
   timeout: 10m
 
 linters:
-  disable-all: false
+  enable-all: true
+  disable:
+    # Deprecated linters
+    - varcheck
+    - exhaustivestruct
+    - ifshort
+    - structcheck
+    - golint
+    - maligned
+    - interfacer
+    - nosnakecase
+    - deadcode
+    - scopelint
+    - rowserrcheck
+    - sqlclosecheck
+    - structcheck
+    - wastedassign
+    # Ignoring
+    - lll
+    - varnamelen
+    - paralleltest
+    - testpackage
+    - goerr113
+    - exhaustruct
+    - nestif
+    - funlen
+    - goconst
+    - nlreturn
+    - gochecknoglobals
+    - cyclop
+    - gocyclo
+    - gocognit
+    - maintidx
+    - contextcheck

csp.go

@@ -35,6 +35,7 @@ func withCSPNonce(r *http.Request, nonce string) *http.Request {
 
 func cspRandNonce() string {
 	var buf [cspNonceSize]byte
+
 	_, err := io.ReadFull(rand.Reader, buf[:])
 	if err != nil {
 		panic("CSP Nonce rand.Reader failed" + err.Error())

csp_test.go

@@ -1,6 +1,7 @@
 package secure
 
 import (
+	"context"
 	"encoding/base64"
 	"fmt"
 	"net/http"
@@ -22,15 +23,14 @@ func TestCSPNonce(t *testing.T) {
 	}{
 		{Options{ContentSecurityPolicy: csp}, []string{"Content-Security-Policy"}},
 		{Options{ContentSecurityPolicyReportOnly: csp}, []string{"Content-Security-Policy-Report-Only"}},
-		{Options{ContentSecurityPolicy: csp, ContentSecurityPolicyReportOnly: csp},
-			[]string{"Content-Security-Policy", "Content-Security-Policy-Report-Only"}},
+		{Options{ContentSecurityPolicy: csp, ContentSecurityPolicyReportOnly: csp}, []string{"Content-Security-Policy", "Content-Security-Policy-Report-Only"}},
 	}
 
 	for _, c := range cases {
 		s := New(c.options)
 
 		res := httptest.NewRecorder()
-		req, _ := http.NewRequest("GET", "/foo", nil)
+		req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/foo", nil)
 
 		s.Handler(cspHandler).ServeHTTP(res, req)
 
@@ -54,7 +54,7 @@ func TestCSPNonce(t *testing.T) {
 }
 
 func TestWithCSPNonce(t *testing.T) {
-	req, _ := http.NewRequest("GET", "/foo", nil)
+	req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/foo", nil)
 
 	nonce := "jdgKGHkbnd+/"
 

cspbuilder/builder.go

@@ -5,7 +5,7 @@ import (
 )
 
 const (
-	// Fetch Directives
+	// Fetch Directives.
 	ChildSrc      = "child-src"
 	ConnectSrc    = "connect-src"
 	DefaultSrc    = "default-src"
@@ -24,20 +24,20 @@ const (
 	StyleSrcElem  = "style-src-elem"
 	WorkerSrc     = "worker-src"
 
-	// Document Directives
+	// Document Directives.
 	BaseURI = "base-uri"
 	Sandbox = "sandbox"
 
-	// Navigation directives
+	// Navigation directives.
 	FormAction     = "form-action"
 	FrameAncestors = "frame-ancestors"
 	NavigateTo     = "navigate-to"
 
-	// Reporting directives
+	// Reporting directives.
 	ReportURI = "report-uri"
 	ReportTo  = "report-to"
 
-	// Other directives
+	// Other directives.
 	RequireTrustedTypesFor  = "require-trusted-types-for"
 	TrustedTypes            = "trusted-types"
 	UpgradeInsecureRequests = "upgrade-insecure-requests"
@@ -53,6 +53,7 @@ func (builder *Builder) MustBuild() string {
 	if err != nil {
 		panic(err)
 	}
+
 	return policy
 }
 

cspbuilder/directive_builder.go

@@ -11,6 +11,7 @@ func buildDirectiveSandbox(sb *strings.Builder, values []string) error {
 		sb.WriteString(Sandbox)
 		return nil
 	}
+
 	if len(values) > 1 {
 		return fmt.Errorf("too many values set for directive %s", Sandbox)
 	}
@@ -44,15 +45,13 @@ func buildDirectiveSandbox(sb *strings.Builder, values []string) error {
 	return nil
 }
 
-func buildDirectiveFrameAncestors(
-	sb *strings.Builder,
-	values []string,
-) error {
+func buildDirectiveFrameAncestors(sb *strings.Builder, values []string) error {
 	if len(values) == 0 {
 		return fmt.Errorf("no values set for directive %s", FrameAncestors)
 	}
 
 	sb.WriteString(FrameAncestors)
+
 	for _, val := range values {
 		if strings.HasPrefix(val, "'") && strings.HasSuffix(val, "'") {
 			switch val {
@@ -62,19 +61,19 @@ func buildDirectiveFrameAncestors(
 				return fmt.Errorf("unallowed value %s for directive %s", val, FrameAncestors)
 			}
 		}
+
 		sb.WriteString(" ")
 		sb.WriteString(val)
 	}
+
 	return nil
 }
 
-func buildDirectiveReportTo(
-	sb *strings.Builder,
-	values []string,
-) error {
+func buildDirectiveReportTo(sb *strings.Builder, values []string) error {
 	if len(values) == 0 {
 		return fmt.Errorf("no values set for directive %s", ReportTo)
 	}
+
 	if len(values) > 1 {
 		return fmt.Errorf("too many values set for directive %s", ReportTo)
 	}
@@ -86,10 +85,7 @@ func buildDirectiveReportTo(
 	return nil
 }
 
-func buildDirectiveRequireTrustedTypesFor(
-	sb *strings.Builder,
-	values []string,
-) error {
+func buildDirectiveRequireTrustedTypesFor(sb *strings.Builder, values []string) error {
 	const allowedValue = "'script'"
 	if len(values) != 1 || values[0] != allowedValue {
 		return fmt.Errorf("value for directive %s must be %s", RequireTrustedTypesFor, allowedValue)
@@ -102,14 +98,12 @@ func buildDirectiveRequireTrustedTypesFor(
 	return nil
 }
 
-func buildDirectiveTrustedTypes(
-	sb *strings.Builder,
-	values []string,
-) error {
+func buildDirectiveTrustedTypes(sb *strings.Builder, values []string) error {
 	sb.WriteString(TrustedTypes)
 
 	for _, val := range values {
 		sb.WriteString(" ")
+
 		switch val {
 		case "'none'":
 			if len(values) != 1 {
@@ -120,43 +114,40 @@ func buildDirectiveTrustedTypes(
 		case "*":
 			// nothing to do
 		default:
-			// value is policyname
+			// value is policy name
 			regex := regexp.MustCompile(`^[A-Za-z0-9\-#=_/@\.%]*$`)
 			if !regex.MatchString(val) {
 				return fmt.Errorf("unallowed value %s for directive %s", val, TrustedTypes)
 			}
 		}
+
 		sb.WriteString(val)
 	}
 
 	return nil
 }
 
-func buildDirectiveUpgradeInsecureRequests(
-	sb *strings.Builder,
-	values []string,
-) error {
+func buildDirectiveUpgradeInsecureRequests(sb *strings.Builder, values []string) error {
 	if len(values) != 0 {
 		return fmt.Errorf("directive %s must not contain values", UpgradeInsecureRequests)
 	}
 
 	sb.WriteString(UpgradeInsecureRequests)
+
 	return nil
 }
 
-func buildDirectiveDefault(
-	sb *strings.Builder,
-	directive string,
-	values []string,
-) error {
+func buildDirectiveDefault(sb *strings.Builder, directive string, values []string) error {
 	if len(values) == 0 {
 		return fmt.Errorf("no values set for directive %s", directive)
 	}
 
 	sb.WriteString(directive)
+
 	for i := range values {
 		sb.WriteString(" ")
 		sb.WriteString(values[i])
 	}
+
 	return nil
 }

secure.go

@@ -50,7 +50,7 @@ func defaultBadRequestHandler(w http.ResponseWriter, r *http.Request) {
 // Options is a struct for specifying configuration options for the secure.Secure middleware.
 type Options struct {
 	// If BrowserXssFilter is true, adds the X-XSS-Protection header with the value `1; mode=block`. Default is false.
-	BrowserXssFilter bool //nolint:stylecheck
+	BrowserXssFilter bool //nolint:stylecheck,revive
 	// If ContentTypeNosniff is true, adds the X-Content-Type-Options header with the value `nosniff`. Default is false.
 	ContentTypeNosniff bool
 	// If ForceSTSHeader is set to true, the STS header will be added even when the connection is HTTP. Default is false.
@@ -77,7 +77,7 @@ type Options struct {
 	// ContentSecurityPolicyReportOnly allows the Content-Security-Policy-Report-Only header value to be set with a custom value. Default is "".
 	ContentSecurityPolicyReportOnly string
 	// CustomBrowserXssValue allows the X-XSS-Protection header value to be set with a custom value. This overrides the BrowserXssFilter option. Default is "".
-	CustomBrowserXssValue string //nolint:stylecheck
+	CustomBrowserXssValue string //nolint:stylecheck,revive
 	// Passing a template string will replace `$NONCE` with a dynamic nonce value of 16 bytes for each request which can be later retrieved using the Nonce function.
 	// Eg: script-src $NONCE -> script-src 'nonce-a2ZobGFoZg=='
 	// CustomFrameOptionsValue allows the X-Frame-Options header value to be set with a custom value. This overrides the FrameDeny option. Default is "".
@@ -165,6 +165,7 @@ func New(options ...Options) *Secure {
 			if err != nil {
 				panic(fmt.Sprintf("Error parsing AllowedHost: %s", err))
 			}
+
 			s.cRegexAllowedHosts = append(s.cRegexAllowedHosts, regex)
 		}
 	}
@@ -211,8 +212,6 @@ func (s *Secure) HandlerForRequestOnly(h http.Handler) http.Handler {
 		// Let secure process the request. If it returns an error,
 		// that indicates the request should not continue.
 		responseHeader, r, err := s.processRequest(w, r)
-
-		// If there was an error, do not continue.
 		if err != nil {
 			return
 		}
@@ -299,6 +298,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He
 
 	// Resolve the host for the request, using proxy headers if present.
 	host := r.Host
+
 	for _, header := range s.opt.HostsProxyHeaders {
 		if h := r.Header.Get(header); h != "" {
 			host = h
@@ -309,6 +309,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He
 	// Allowed hosts check.
 	if len(s.opt.AllowedHosts) > 0 && !s.opt.IsDevelopment {
 		isGoodHost := false
+
 		if s.opt.AllowedHostsAreRegex {
 			for _, allowedHost := range s.cRegexAllowedHosts {
 				if match := allowedHost.MatchString(host); match {
@@ -324,6 +325,7 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He
 				}
 			}
 		}
+
 		if !isGoodHost {
 			s.badHostHandler.ServeHTTP(w, r)
 			return nil, nil, fmt.Errorf("bad host name: %s", host)
@@ -353,29 +355,33 @@ func (s *Secure) processRequest(w http.ResponseWriter, r *http.Request) (http.He
 		}
 
 		http.Redirect(w, r, url.String(), status)
+
 		return nil, nil, fmt.Errorf("redirecting to HTTPS")
 	}
 
 	if s.opt.SSLForceHost {
-		var SSLHost = host
+		tempSSLHost := host
+
 		if s.opt.SSLHostFunc != nil {
 			if h := (*s.opt.SSLHostFunc)(host); len(h) > 0 {
-				SSLHost = h
+				tempSSLHost = h
 			}
 		} else if len(s.opt.SSLHost) > 0 {
-			SSLHost = s.opt.SSLHost
+			tempSSLHost = s.opt.SSLHost
 		}
-		if SSLHost != host {
+
+		if tempSSLHost != host {
 			url := r.URL
 			url.Scheme = "https"
-			url.Host = SSLHost
+			url.Host = tempSSLHost
 
 			status := http.StatusMovedPermanently
 			if s.opt.SSLTemporaryRedirect {
 				status = http.StatusTemporaryRedirect
 			}
 
 			http.Redirect(w, r, url.String(), status)
+
 			return nil, nil, fmt.Errorf("redirecting to HTTPS")
 		}
 	}
@@ -485,6 +491,7 @@ func (s *Secure) isSSL(r *http.Request) bool {
 			}
 		}
 	}
+
 	return ssl
 }
 
@@ -507,12 +514,14 @@ func (s *Secure) ModifyResponseHeaders(res *http.Response) error {
 
 		responseHeader := res.Request.Context().Value(s.ctxSecureHeaderKey)
 		if responseHeader != nil {
-			for header, values := range responseHeader.(http.Header) {
+			headers, _ := responseHeader.(http.Header)
+			for header, values := range headers {
 				if len(values) > 0 {
 					res.Header.Set(header, strings.Join(values, ","))
 				}
 			}
 		}
 	}
+
 	return nil
 }