Use safecast / eliminate most nolint:gosec (#976)

* Use safecast / eliminate most nolint:gosec

* circleci update of docker tag, pass codecov token

* bump for 1.66.4

.circleci/config.yml

@@ -23,7 +23,7 @@ jobs:
     <<: *defaultEnv
     steps:
       - setup_remote_docker:
-          version: 20.10.12
+          version: previous
       - checkout
       - run: make release-test
 # linters are now part of gochecks shared github action workflows (go checks)

.github/workflows/include.yml

@@ -15,6 +15,8 @@ jobs:
         uses: fortio/workflows/.github/workflows/gochecks.yml@main
     call-codecov:
         uses: fortio/workflows/.github/workflows/codecov.yml@main
+        secrets:
+            CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     call-codeql:
         uses: fortio/workflows/.github/workflows/codeql-analysis.yml@main
         permissions:

README.md

@@ -1,4 +1,4 @@
-<!-- 1.66.3 -->
+<!-- 1.66.4 -->
 # Fortio
 
 [![Awesome Go](https://fortio.org/mentioned-badge.svg)](https://github.com/avelino/awesome-go#networking)
@@ -60,13 +60,13 @@ You can install from source:
 The [releases](https://github.com/fortio/fortio/releases) page has binaries for many OS/architecture combinations (see assets):
 
 ```shell
-curl -L https://github.com/fortio/fortio/releases/download/v1.66.3/fortio-linux_amd64-1.66.3.tgz \
+curl -L https://github.com/fortio/fortio/releases/download/v1.66.4/fortio-linux_amd64-1.66.4.tgz \
  | sudo tar -C / -xvzpf -
 # or the debian package
-wget https://github.com/fortio/fortio/releases/download/v1.66.3/fortio_1.66.3_amd64.deb
-dpkg -i fortio_1.66.3_amd64.deb
+wget https://github.com/fortio/fortio/releases/download/v1.66.4/fortio_1.66.4_amd64.deb
+dpkg -i fortio_1.66.4_amd64.deb
 # or the rpm
-rpm -i https://github.com/fortio/fortio/releases/download/v1.66.3/fortio-1.66.3-1.x86_64.rpm
+rpm -i https://github.com/fortio/fortio/releases/download/v1.66.4/fortio-1.66.4-1.x86_64.rpm
 # and more, see assets in release page
 ```
 
@@ -76,7 +76,7 @@ On macOS you can also install Fortio using [Homebrew](https://brew.sh/):
 brew install fortio
 ```
 
-On Windows, download https://github.com/fortio/fortio/releases/download/v1.66.3/fortio_win_1.66.3.zip and extract `fortio.exe` to any location, then using the Windows Command Prompt:
+On Windows, download https://github.com/fortio/fortio/releases/download/v1.66.4/fortio_win_1.66.4.zip and extract `fortio.exe` to any location, then using the Windows Command Prompt:
 ```
 fortio.exe server
 ```
@@ -130,7 +130,7 @@ Full list of command line flags (`fortio help`):
 <!-- use release/updateFlags.sh to update this section -->
 <pre>
 <!-- USAGE_START -->
-Φορτίο 1.66.3 usage:
+Φορτίο 1.66.4 usage:
         fortio command [flags] target
 where command is one of: load (load testing), server (starts ui, rest api,
  http-echo, redirect, proxies, tcp-echo, udp-echo and grpc ping servers),

cli/fortio_main.go

@@ -43,6 +43,7 @@ import (
 	"fortio.org/fortio/ui"
 	"fortio.org/fortio/version"
 	"fortio.org/log"
+	"fortio.org/safecast"
 	"fortio.org/scli"
 )
 
@@ -261,8 +262,7 @@ func FortioMain(hook bincommon.FortioHook) {
 			fnet.UDPEchoServer("udp-echo", *udpPortFlag, *udpAsyncFlag)
 		}
 		if *grpcPortFlag != disabled {
-			//nolint:gosec // not practically overflowing.
-			fgrpc.PingServer(*grpcPortFlag, *healthSvcFlag, uint32(*maxStreamsFlag), tlsOptions)
+			fgrpc.PingServer(*grpcPortFlag, *healthSvcFlag, safecast.MustConvert[uint32](*maxStreamsFlag), tlsOptions)
 		}
 		if *redirectFlag != disabled {
 			fhttp.RedirectToHTTPS(*redirectFlag)

fhttp/http_client.go

@@ -36,6 +36,7 @@ import (
 	"fortio.org/fortio/jrpc"
 	"fortio.org/fortio/stats"
 	"fortio.org/log"
+	"fortio.org/safecast"
 	"fortio.org/scli"
 	"github.com/google/uuid"
 	"golang.org/x/net/http2"
@@ -522,7 +523,7 @@ func (c *Client) StreamFetch(ctx context.Context) (int, int64, uint) {
 			body = strings.Replace(body, uuidToken, generateUUID(), 1)
 		}
 		bodyBytes := []byte(body)
-		req.ContentLength = int64(len(bodyBytes))
+		req.ContentLength = safecast.MustConvert[int64](len(bodyBytes))
 		req.Body = io.NopCloser(bytes.NewReader(bodyBytes))
 	} else if len(c.body) > 0 {
 		req.Body = io.NopCloser(bytes.NewReader(c.body))
@@ -975,7 +976,7 @@ func (c *FastClient) Fetch(ctx context.Context) (int, []byte, int) {
 	c.dataWriter = nil
 	// we're inlining the old returnRes() below so no need to capture the return values
 	code, _, _ := c.StreamFetch(ctx)
-	return code, c.buffer[:c.size], int(c.headerLen) //nolint:gosec // not practically overflowing.
+	return code, c.buffer[:c.size], safecast.MustConvert[int](c.headerLen)
 }
 
 // Fetch fetches the URL content. Returns HTTP code, data written to the writer, length of headers.
@@ -1087,9 +1088,9 @@ func (d *DelayedErrorReader) Close() error {
 
 // Response reading:
 //
-//nolint:nestif,funlen,gocognit,gocyclo,maintidx,gosec // TODO: refactor - unwiedly/ugly atm.
+//nolint:nestif,funlen,gocognit,gocyclo,maintidx // TODO: refactor - unwiedly/ugly atm.
 func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reusedSocket bool) {
-	maxV := int64(len(c.buffer))
+	maxV := safecast.MustConvert[int64](len(c.buffer))
 	parsedHeaders := false
 	// TODO: safer to start with -1 / SocketError and fix ok for HTTP/1.0
 	c.code = http.StatusOK // In HTTP/1.0 mode we don't bother parsing anything
@@ -1103,7 +1104,7 @@ func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reu
 		// TODO: need automated tests
 		if !skipRead {
 			nI, err := conn.Read(c.buffer[c.size:])
-			n := int64(nI)
+			n := safecast.MustConvert[int64](nI)
 			if err != nil {
 				if reusedSocket && c.size == 0 {
 					// Ok for reused socket to be dead once (close by server)
@@ -1135,7 +1136,7 @@ func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reu
 			c.size += n
 			if log.LogDebug() {
 				log.Debugf("[%d] Read ok %d total %d so far (-%d headers = %d data) %s",
-					c.id, n, c.size, c.headerLen, c.size-int64(c.headerLen), DebugSummary(c.buffer[c.size-n:c.size], 256))
+					c.id, n, c.size, c.headerLen, c.size-safecast.MustConvert[int64](c.headerLen), DebugSummary(c.buffer[c.size-n:c.size], 256))
 			}
 		}
 		skipRead = false
@@ -1160,7 +1161,7 @@ func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reu
 			idx := endofHeadersStart
 			for idx < c.size-1 {
 				if c.buffer[idx] == '\r' && c.buffer[idx+1] == '\n' {
-					if int64(c.headerLen) == idx-2 { // found end of headers
+					if safecast.MustConvert[int64](c.headerLen) == idx-2 { // found end of headers
 						parsedHeaders = true
 						break
 					}
@@ -1189,7 +1190,7 @@ func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reu
 							keepAlive = false
 							break
 						}
-						maxV = int64(c.headerLen) + contentLength
+						maxV = safecast.MustConvert[int64](c.headerLen) + contentLength
 						if log.LogDebug() { // somehow without the if we spend 400ms/10s in LogV (!)
 							log.Debugf("[%d] found content length %d", c.id, contentLength)
 						}
@@ -1202,12 +1203,12 @@ func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reu
 							if contentLength == -1 {
 								// chunk length not available yet
 								log.LogVf("[%d] chunk mode but no first chunk length yet, reading more", c.id)
-								maxV = int64(c.headerLen)
+								maxV = safecast.MustConvert[int64](c.headerLen)
 								continue
 							}
-							maxV = int64(c.headerLen) + dataStart + contentLength + 2 // extra CR LF
+							maxV = safecast.MustConvert[int64](c.headerLen) + dataStart + contentLength + 2 // extra CR LF
 							log.Debugf("[%d] chunk-length is %d (%s) setting max to %d",
-								c.id, contentLength, c.buffer[c.headerLen:int64(c.headerLen)+dataStart-2],
+								c.id, contentLength, c.buffer[c.headerLen:safecast.MustConvert[int64](c.headerLen)+dataStart-2],
 								maxV)
 						} else {
 							if log.LogVerbose() {
@@ -1220,21 +1221,21 @@ func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reu
 							break
 						}
 					} // end of content-length section
-					if maxV > int64(len(c.buffer)) {
+					if maxV > safecast.MustConvert[int64](len(c.buffer)) {
 						log.S(log.Warning, "Buffer is too small for headers + data - change -httpbufferkb flag",
 							log.Attr("header_len", c.headerLen),
 							log.Attr("content_length", contentLength),
-							log.Attr("buffer_needed", (int64(c.headerLen)+contentLength)/1024+1),
+							log.Attr("buffer_needed", (safecast.MustConvert[int64](c.headerLen)+contentLength)/1024+1),
 							log.Attr("thread", c.id), log.Attr("run", c.runID))
 						// TODO: just consume the extra instead
 						// or rather use the dataWriter post headers
-						maxV = int64(len(c.buffer))
+						maxV = safecast.MustConvert[int64](len(c.buffer))
 					}
 					if checkConnectionClosedHeader {
 						if found, _ := FoldFind(c.buffer[:c.headerLen], connectionCloseHeader); found {
 							log.S(log.Info, "Server wants to close connection, no keep-alive!", log.Attr("thread", c.id), log.Attr("run", c.runID))
 							keepAlive = false
-							maxV = int64(len(c.buffer)) // reset to read as much as available
+							maxV = safecast.MustConvert[int64](len(c.buffer)) // reset to read as much as available
 						}
 					}
 				}
@@ -1274,7 +1275,7 @@ func (c *FastClient) readResponse(conn *DelayedErrorReader, socket net.Conn, reu
 				default:
 					maxV += dataStart + nextChunkLen + 2 // extra CR LF
 					log.Debugf("[%d] One more chunk %d -> new max %d", c.id, nextChunkLen, maxV)
-					if maxV > int64(len(c.buffer)) {
+					if maxV > safecast.MustConvert[int64](len(c.buffer)) {
 						log.S(log.Error, "Buffer too small for data", log.Attr("size", maxV), log.Attr("thread", c.id), log.Attr("run", c.runID))
 					} else {
 						if maxV <= c.size {

fnet/network.go

@@ -31,6 +31,7 @@ import (
 	"fortio.org/fortio/jrpc"
 	"fortio.org/fortio/version"
 	"fortio.org/log"
+	"fortio.org/safecast"
 )
 
 const (
@@ -337,7 +338,7 @@ func checkCache(host, port string) (found bool, res net.IP) {
 		return
 	}
 	found = true
-	idx := dnsRoundRobin % uint32(len(dnsAddrs)) //nolint:gosec // not possible.
+	idx := dnsRoundRobin % safecast.MustConvert[uint32](len(dnsAddrs))
 	dnsRoundRobin++
 	res = dnsAddrs[idx]
 	dnsMutex.Unlock() // unlock before IOs
@@ -374,7 +375,7 @@ func ResolveByProto(ctx context.Context, host string, port string, proto string)
 	if err != nil {
 		return nil, err // error already logged
 	}
-	l := uint32(len(addrs)) //nolint:gosec // not possible.
+	l := safecast.MustConvert[uint32](len(addrs))
 	if l > 1 {
 		switch dnsMethod {
 		case "cached-rr":
@@ -391,13 +392,14 @@ func ResolveByProto(ctx context.Context, host string, port string, proto string)
 			dnsMutex.Unlock()
 			log.Debugf("First time/new host for caching address for %s : %v", host, addrs)
 		case "rr":
-			idx = dnsRoundRobin % uint32(len(addrs)) //nolint:gosec // not possible.
+			idx = dnsRoundRobin % safecast.MustConvert[uint32](len(addrs))
 			dnsRoundRobin++
 			log.Debugf("Using rr address #%d for %s : %v", idx, host, addrs)
 		case "first":
 			log.Debugf("Using first address for %s : %v", host, addrs)
 		case "rnd":
-			idx = uint32(rand.Intn(int(l))) //nolint:gosec // we want fast not crypto
+			//nolint:gosec // we want fast not crypto
+			idx = safecast.MustConvert[uint32](rand.Intn(safecast.MustConvert[int](l)))
 			log.Debugf("Using rnd address #%d for %s : %v", idx, host, addrs)
 		}
 	}

go.mod

@@ -14,6 +14,7 @@ require (
 	fortio.org/cli v1.9.0
 	fortio.org/dflag v1.7.2
 	fortio.org/log v1.16.0
+	fortio.org/safecast v0.1.1
 	fortio.org/scli v1.15.2
 	fortio.org/sets v1.2.0
 	fortio.org/testscript v0.3.2

go.sum

@@ -6,6 +6,8 @@ fortio.org/dflag v1.7.2 h1:lUhXFvDlw4CJj/q7hPv/TC+n/wVoQylzQO6bUg5GQa0=
 fortio.org/dflag v1.7.2/go.mod h1:6yO/NIgrWfQH195WbHJ3Y45SCx11ffivQjfx2C/FS1U=
 fortio.org/log v1.16.0 h1:GhU8/9NkYZmEIzvTN/DTMedDAStLJraWUUVUA2EbNDc=
 fortio.org/log v1.16.0/go.mod h1:t58Spg9njjymvRioh5F6qKGSupEsnMjXLGWIS1i3khE=
+fortio.org/safecast v0.1.1 h1:lKSckzBVCbeJXTNUiAvBdplYUafEHM9BahrP46WgPEQ=
+fortio.org/safecast v0.1.1/go.mod h1:xZmcPk3vi4kuUFf+tq4SvnlVdwViqf6ZSZl91Jr9Jdg=
 fortio.org/scli v1.15.2 h1:vWXt4QOViXNWy4Gdm7d2FDfptzWD00QiWzYAM/IUF7c=
 fortio.org/scli v1.15.2/go.mod h1:XvY2JglgCeeZOIc5CrfBTtcsxkVV8xmGL5ykAcBjEHI=
 fortio.org/sets v1.2.0 h1:FBfC7R2xrOJtkcioUbY6WqEzdujuBoZRbSdp1fYF4Kk=