k1LoW · k1LoW · Aug 15, 2019 · Aug 15, 2019 · Aug 15, 2019 · Aug 15, 2019
diff --git a/Makefile b/Makefile
@@ -15,7 +15,7 @@ BUILD_LDFLAGS = -X $(PKG).commit=$(COMMIT) -X $(PKG).date=$(DATE)
 
 default: test
 
-ci: build test testdoc test_too_many_tables test_json
+ci: build test testdoc test_too_many_tables test_json sec
 
 test:
 	usql pg://postgres:pgpass@localhost:55432/testdb?sslmode=disable -f testdata/pg.sql
@@ -86,6 +86,9 @@ doc_spanner:
 test_spanner:
 	./tbls diff spanner://$(GCLOUD_PROJECT)/test-instance/testdb?creds=spanner_client_secrets.json -c testdata/spanner_tbls.yml sample/spanner
 
+sec:
+	gosec ./...
+
 build:
 	packr2
 	go build -ldflags="$(BUILD_LDFLAGS)"
@@ -99,6 +102,7 @@ depsdev:
 	go get github.com/xo/usql
 	go get github.com/gobuffalo/packr/v2/packr2
 	go get github.com/Songmu/gocredits/cmd/gocredits
+	go get github.com/securego/gosec/cmd/gosec
 
 prerelease:
 	ghch -w -N ${VER}

diff --git a/cmd/doc.go b/cmd/doc.go
@@ -82,7 +82,7 @@ var docCmd = &cobra.Command{
 		}
 
 		if !c.ER.Skip {
-			_, err = exec.Command("which", "dot").Output()
+			_, err = exec.Command("which", "dot").Output() // #nosec
 			if err == nil {
 				err := withDot(s, c, force)
 				if err != nil {
@@ -113,64 +113,73 @@ func withDot(s *schema.Schema, c *config.Config, force bool) error {
 		return errors.New("output ER diagram files already exists")
 	}
 
-	_ = os.MkdirAll(fullPath, 0755)
+	err = os.MkdirAll(fullPath, 0755) // #nosec
+	if err != nil {
+		return errors.WithStack(err)
+	}
 
 	dotFormatOption := fmt.Sprintf("-T%s", erFormat)
 	erFileName := fmt.Sprintf("schema.%s", erFormat)
 
 	fmt.Printf("%s\n", filepath.Join(outputPath, erFileName))
 	tmpfile, _ := ioutil.TempFile("", "tblstmp")
-	cmd := exec.Command("dot", dotFormatOption, "-o", filepath.Join(fullPath, erFileName), tmpfile.Name())
+	cmd := exec.Command("dot", dotFormatOption, "-o", filepath.Clean(filepath.Join(fullPath, erFileName)), tmpfile.Name()) // #nosec
 	var stderr bytes.Buffer
 	cmd.Stderr = &stderr
 
 	dot := dot.NewDot(c)
 
 	err = dot.OutputSchema(tmpfile, s)
 	if err != nil {
-		tmpfile.Close()
-		os.Remove(tmpfile.Name())
+		_ = tmpfile.Close()
+		_ = os.Remove(tmpfile.Name())
 		return err
 	}
 	err = tmpfile.Close()
 	if err != nil {
-		os.Remove(tmpfile.Name())
+		_ = os.Remove(tmpfile.Name())
 		return errors.WithStack(err)
 	}
 	err = cmd.Run()
 	if err != nil {
-		os.Remove(tmpfile.Name())
+		_ = os.Remove(tmpfile.Name())
 		return errors.WithStack(errors.Wrap(err, stderr.String()))
 	}
-	os.Remove(tmpfile.Name())
+	err = os.Remove(tmpfile.Name())
+	if err != nil {
+		return errors.WithStack(err)
+	}
 
 	// tables
 	for _, t := range s.Tables {
 		erFileName := fmt.Sprintf("%s.%s", t.Name, erFormat)
 
 		fmt.Printf("%s\n", filepath.Join(outputPath, erFileName))
 		tmpfile, _ := ioutil.TempFile("", "tblstmp")
-		c := exec.Command("dot", dotFormatOption, "-o", filepath.Join(fullPath, erFileName), tmpfile.Name())
+		c := exec.Command("dot", dotFormatOption, "-o", filepath.Join(fullPath, erFileName), tmpfile.Name()) // #nosec
 		var stderr bytes.Buffer
 		c.Stderr = &stderr
 
 		err = dot.OutputTable(tmpfile, t)
 		if err != nil {
-			tmpfile.Close()
-			os.Remove(tmpfile.Name())
+			_ = tmpfile.Close()
+			_ = os.Remove(tmpfile.Name())
 			return err
 		}
 		err = tmpfile.Close()
 		if err != nil {
-			os.Remove(tmpfile.Name())
+			_ = os.Remove(tmpfile.Name())
 			return errors.WithStack(err)
 		}
 		err = c.Run()
 		if err != nil {
-			os.Remove(tmpfile.Name())
+			_ = os.Remove(tmpfile.Name())
 			return errors.WithStack(errors.Wrap(err, stderr.String()))
 		}
-		os.Remove(tmpfile.Name())
+		err = os.Remove(tmpfile.Name())
+		if err != nil {
+			return errors.WithStack(err)
+		}
 	}
 
 	return nil

diff --git a/cmd/out.go b/cmd/out.go
@@ -104,7 +104,7 @@ var outCmd = &cobra.Command{
 
 		var wr io.Writer
 		if outPath != "" {
-			file, err := os.OpenFile(outPath, os.O_WRONLY|os.O_CREATE, 0666)
+			file, err := os.OpenFile(outPath, os.O_WRONLY|os.O_CREATE, 0666) // #nosec
 			if err != nil {
 				printError(err)
 				os.Exit(1)

diff --git a/config/config.go b/config/config.go
@@ -186,7 +186,7 @@ func (c *Config) LoadConfigFile(path string) error {
 		return errors.Wrap(errors.WithStack(err), "failed to load config file")
 	}
 
-	buf, err := ioutil.ReadFile(fullPath)
+	buf, err := ioutil.ReadFile(filepath.Clean(fullPath))
 	if err != nil {
 		return errors.Wrap(errors.WithStack(err), "failed to load config file")
 	}

diff --git a/datasource/datasource.go b/datasource/datasource.go
@@ -96,7 +96,10 @@ func AnalizeJSON(urlstr string) (*schema.Schema, error) {
 		return s, errors.WithStack(err)
 	}
 	dec := json.NewDecoder(file)
-	dec.Decode(s)
+	err = dec.Decode(s)
+	if err != nil {
+		return s, errors.WithStack(err)
+	}
 	err = s.Repair()
 	if err != nil {
 		return s, errors.WithStack(err)

diff --git a/drivers/mssql/mssql.go b/drivers/mssql/mssql.go
@@ -234,7 +234,7 @@ GROUP BY f.name, f.parent_object_id, f.referenced_object_id, delete_referential_
 			if err != nil {
 				return errors.WithStack(err)
 			}
-			fkDef := fmt.Sprintf("FOREIGN KEY(%s) REFERENCES %s(%s) ON UPDATE %s ON DELETE %s", fkColumnNames, fkParentTableName, fkParentColumnNames, fkUpdateAction, fkDeleteAction)
+			fkDef := fmt.Sprintf("FOREIGN KEY(%s) REFERENCES %s(%s) ON UPDATE %s ON DELETE %s", fkColumnNames, fkParentTableName, fkParentColumnNames, fkUpdateAction, fkDeleteAction) // #nosec
 			constraint := &schema.Constraint{
 				Name:             convertSystemNamed(fkName, fkIsSystemNamed),
 				Type:             typeFk,
@@ -427,10 +427,13 @@ ORDER BY i.index_id
 func (m *Mssql) Info() (*schema.Driver, error) {
 	var v string
 	row := m.db.QueryRow(`SELECT @@VERSION`)
-	row.Scan(&v)
-	name := "mssql"
+	err := row.Scan(&v)
+	if err != nil {
+		return nil, err
+	}
+
 	d := &schema.Driver{
-		Name:            name,
+		Name:            "mssql",
 		DatabaseVersion: v,
 	}
 	return d, nil

diff --git a/drivers/mysql/mysql.go b/drivers/mysql/mysql.go
@@ -346,7 +346,10 @@ WHERE table_schema = ? AND table_name = ? ORDER BY ordinal_position`, s.Name, ta
 func (m *Mysql) Info() (*schema.Driver, error) {
 	var v string
 	row := m.db.QueryRow(`SELECT version();`)
-	row.Scan(&v)
+	err := row.Scan(&v)
+	if err != nil {
+		return nil, err
+	}
 
 	d := &schema.Driver{
 		Name:            "mysql",

diff --git a/drivers/postgres/postgres.go b/drivers/postgres/postgres.go
@@ -332,7 +332,10 @@ ORDER BY ordinal_position
 func (p *Postgres) Info() (*schema.Driver, error) {
 	var v string
 	row := p.db.QueryRow(`SELECT version();`)
-	row.Scan(&v)
+	err := row.Scan(&v)
+	if err != nil {
+		return nil, err
+	}
 
 	name := "postgres"
 	if p.rsMode {

diff --git a/drivers/spanner/spanner.go b/drivers/spanner/spanner.go
@@ -275,7 +275,7 @@ GROUP BY c.TABLE_CATALOG, c.TABLE_SCHEMA, c.TABLE_NAME, c.INDEX_NAME, c.INDEX_TY
 		if err != nil {
 			return err
 		}
-		def := fmt.Sprintf("INTERLEAVE IN PARENT %s ON DELETE %s", i.parentTableName, i.onDeleteAction)
+		def := fmt.Sprintf("INTERLEAVE IN PARENT %s ON DELETE %s", i.parentTableName, i.onDeleteAction) // #nosec
 
 		// constraints
 		constraint := &schema.Constraint{

diff --git a/drivers/sqlite/sqlite.go b/drivers/sqlite/sqlite.go
@@ -187,7 +187,7 @@ WHERE name != 'sqlite_sequence' AND (type = 'table' OR type = 'view');`)
 
 		for _, f := range fkSlice {
 			foreignKeyDef := fmt.Sprintf("FOREIGN KEY (%s) REFERENCES %s (%s) ON UPDATE %s ON DELETE %s MATCH %s",
-				strings.Join(f.ColumnNames, ", "), f.ForeignTableName, strings.Join(f.ForeignColumnNames, ", "), f.OnUpdate, f.OnDelete, f.Match)
+				strings.Join(f.ColumnNames, ", "), f.ForeignTableName, strings.Join(f.ForeignColumnNames, ", "), f.OnUpdate, f.OnDelete, f.Match) // #nosec
 			constraint := &schema.Constraint{
 				Name:             fmt.Sprintf("- (Foreign key ID: %s)", f.ID),
 				Type:             "FOREIGN KEY",
@@ -384,7 +384,10 @@ SELECT name, sql FROM sqlite_master WHERE type = 'trigger' AND tbl_name = ?;
 func (l *Sqlite) Info() (*schema.Driver, error) {
 	var v string
 	row := l.db.QueryRow(`SELECT sqlite_version();`)
-	row.Scan(&v)
+	err := row.Scan(&v)
+	if err != nil {
+		return nil, err
+	}
 
 	d := &schema.Driver{
 		Name:            "sqlite",

diff --git a/output/json/json.go b/output/json/json.go
@@ -14,14 +14,20 @@ type JSON struct{}
 func (j *JSON) OutputSchema(wr io.Writer, s *schema.Schema) error {
 	encoder := json.NewEncoder(wr)
 	encoder.SetIndent("", "  ")
-	encoder.Encode(s)
+	err := encoder.Encode(s)
+	if err != nil {
+		return err
+	}
 	return nil
 }
 
 // OutputTable output dot format for table.
 func (j *JSON) OutputTable(wr io.Writer, t *schema.Table) error {
 	encoder := json.NewEncoder(wr)
 	encoder.SetIndent("", "  ")
-	encoder.Encode(t)
+	err := encoder.Encode(t)
+	if err != nil {
+		return err
+	}
 	return nil
 }
diff --git a/output/md/md.go b/output/md/md.go
@@ -83,7 +83,10 @@ func Output(s *schema.Schema, c *config.Config, force bool) error {
 		return errors.New("output files already exists")
 	}
 
-	_ = os.MkdirAll(fullPath, 0755)
+	err = os.MkdirAll(fullPath, 0755) // #nosec
+	if err != nil {
+		return errors.WithStack(err)
+	}
 
 	// README.md
 	file, err := os.Create(filepath.Join(fullPath, "README.md"))
@@ -108,7 +111,7 @@ func Output(s *schema.Schema, c *config.Config, force bool) error {
 	for _, t := range s.Tables {
 		file, err := os.Create(filepath.Join(fullPath, fmt.Sprintf("%s.md", t.Name)))
 		if err != nil {
-			file.Close()
+			_ = file.Close()
 			return errors.WithStack(err)
 		}
 
@@ -121,11 +124,14 @@ func Output(s *schema.Schema, c *config.Config, force bool) error {
 
 		err = md.OutputTable(file, t)
 		if err != nil {
-			file.Close()
+			_ = file.Close()
 			return errors.WithStack(err)
 		}
 		fmt.Printf("%s\n", filepath.Join(docPath, fmt.Sprintf("%s.md", t.Name)))
-		file.Close()
+		err = file.Close()
+		if err != nil {
+			return errors.WithStack(err)
+		}
 	}
 	return nil
 }
@@ -159,7 +165,7 @@ func Diff(s *schema.Schema, c *config.Config) (string, error) {
 	}
 
 	targetPath := filepath.Join(fullPath, "README.md")
-	b, err := ioutil.ReadFile(targetPath)
+	b, err := ioutil.ReadFile(filepath.Clean(targetPath))
 	if err != nil {
 		b = []byte{}
 	}
@@ -199,7 +205,7 @@ func Diff(s *schema.Schema, c *config.Config) (string, error) {
 			return "", errors.WithStack(err)
 		}
 		targetPath := filepath.Join(fullPath, fmt.Sprintf("%s.md", t.Name))
-		b, err := ioutil.ReadFile(targetPath)
+		b, err := ioutil.ReadFile(filepath.Clean(targetPath))
 		if err != nil {
 			b = []byte{}
 		}

diff --git a/output/plantuml/plantuml.go b/output/plantuml/plantuml.go
@@ -38,7 +38,10 @@ func NewPlantUML(c *config.Config) *PlantUML {
 // OutputSchema output dot format for full relation.
 func (p *PlantUML) OutputSchema(wr io.Writer, s *schema.Schema) error {
 	for _, t := range s.Tables {
-		addPrefix(t)
+		err := addPrefix(t)
+		if err != nil {
+			return err
+		}
 	}
 
 	ts, err := p.box.FindString("schema.puml.tmpl")
@@ -59,15 +62,21 @@ func (p *PlantUML) OutputSchema(wr io.Writer, s *schema.Schema) error {
 
 // OutputTable output dot format for table.
 func (p *PlantUML) OutputTable(wr io.Writer, t *schema.Table) error {
-	addPrefix(t)
+	err := addPrefix(t)
+	if err != nil {
+		return err
+	}
 	encountered := make(map[string]bool)
 	tables := []*schema.Table{}
 	relations := []*schema.Relation{}
 	for _, c := range t.Columns {
 		for _, r := range c.ParentRelations {
 			if !encountered[r.ParentTable.Name] {
 				encountered[r.ParentTable.Name] = true
-				addPrefix(r.ParentTable)
+				err := addPrefix(r.ParentTable)
+				if err != nil {
+					return err
+				}
 				tables = append(tables, r.ParentTable)
 			}
 			if !contains(relations, r) {
@@ -77,7 +86,10 @@ func (p *PlantUML) OutputTable(wr io.Writer, t *schema.Table) error {
 		for _, r := range c.ChildRelations {
 			if !encountered[r.Table.Name] {
 				encountered[r.Table.Name] = true
-				addPrefix(r.Table)
+				err := addPrefix(r.Table)
+				if err != nil {
+					return err
+				}
 				tables = append(tables, r.Table)
 			}
 			if !contains(relations, r) {

diff --git a/output/xlsx/xlsx.go b/output/xlsx/xlsx.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"path/filepath"
 	"strings"
 	"unicode/utf8"
 
@@ -34,8 +35,11 @@ func (x *Xlsx) OutputSchema(wr io.Writer, s *schema.Schema) error {
 	tf, _ := ioutil.TempFile("", "tbls.xlsx")
 	path := tf.Name()
 	defer tf.Close()
-	w.Save(path)
-	b, err := ioutil.ReadFile(path)
+	err = w.Save(path)
+	if err != nil {
+		return err
+	}
+	b, err := ioutil.ReadFile(filepath.Clean(path))
 	if err != nil {
 		return err
 	}
@@ -59,8 +63,11 @@ func (x *Xlsx) OutputTable(wr io.Writer, t *schema.Table) error {
 	tf, _ := ioutil.TempFile("", "tbls.xlsx")
 	path := tf.Name()
 	defer tf.Close()
-	w.Save(path)
-	b, err := ioutil.ReadFile(path)
+	err = w.Save(path)
+	if err != nil {
+		return err
+	}
+	b, err := ioutil.ReadFile(filepath.Clean(path))
 	if err != nil {
 		return err
 	}