add gosec suppressions/fixes

Author: gartnera

app/ante/authz.go

@@ -49,7 +49,7 @@ func NewAuthzLimiterDecorator(disabledMsgTypes []string) AuthzLimiterDecorator {
 
 func (ald AuthzLimiterDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simulate bool, next sdk.AnteHandler) (newCtx sdk.Context, err error) {
 	if err := ald.checkDisabledMsgs(tx.GetMsgs(), false, 0); err != nil {
-		return ctx, errorsmod.Wrapf(errortypes.ErrUnauthorized, err.Error())
+		return ctx, errorsmod.Wrapf(errortypes.ErrUnauthorized, "%v", err)
 	}
 	return next(ctx, tx, simulate)
 }

app/ante/fee_checker.go

@@ -120,6 +120,7 @@ func checkTxFeeWithValidatorMinGasPrices(ctx sdk.Context, tx sdk.FeeTx) (sdk.Coi
 
 		// Determine the required fees by multiplying each required minimum gas
 		// price by the gas limit, where fee = ceil(minGasPrice * gasLimit).
+		// #nosec G115 always in range
 		glDec := sdk.NewDec(int64(gas))
 
 		for i, gp := range minGasPrices {
@@ -132,6 +133,7 @@ func checkTxFeeWithValidatorMinGasPrices(ctx sdk.Context, tx sdk.FeeTx) (sdk.Coi
 		}
 	}
 
+	// #nosec G115 always in range
 	priority := getTxPriority(feeCoins, int64(gas))
 	return feeCoins, priority, nil
 }

app/ante/setup.go

@@ -85,6 +85,7 @@ func (eeed EthEmitEventDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simulat
 		ctx.EventManager().EmitEvent(sdk.NewEvent(
 			evmtypes.EventTypeEthereumTx,
 			sdk.NewAttribute(evmtypes.AttributeKeyEthereumTxHash, msgEthTx.Hash),
+			// #nosec G115 index always positive
 			sdk.NewAttribute(evmtypes.AttributeKeyTxIndex, strconv.FormatUint(txIndex+uint64(i), 10)),
 		))
 	}

ethereum/eip712/domain.go

@@ -25,7 +25,7 @@ func createEIP712Domain(chainID uint64) apitypes.TypedDataDomain {
 	domain := apitypes.TypedDataDomain{
 		Name:              "Cosmos Web3",
 		Version:           "1.0.0",
-		ChainId:           math.NewHexOrDecimal256(int64(chainID)), // #nosec G701
+		ChainId:           math.NewHexOrDecimal256(int64(chainID)), // #nosec G701 G115
 		VerifyingContract: "cosmos",
 		Salt:              "0",
 	}

ethereum/eip712/eip712_legacy.go

@@ -59,8 +59,9 @@ func LegacyWrapTxToTypedData(
 	}
 
 	domain := apitypes.TypedDataDomain{
-		Name:              "Cosmos Web3",
-		Version:           "1.0.0",
+		Name:    "Cosmos Web3",
+		Version: "1.0.0",
+		// #nosec G115 chainID always positive
 		ChainId:           math.NewHexOrDecimal256(int64(chainID)),
 		VerifyingContract: "cosmos",
 		Salt:              "0",

indexer/kv_indexer.go

@@ -97,8 +97,10 @@ func (kv *KVIndexer) IndexBlock(block *tmtypes.Block, txResults []*abci.Response
 			txHash := common.HexToHash(ethMsg.Hash)
 
 			txResult := ethermint.TxResult{
-				Height:     height,
-				TxIndex:    uint32(txIndex),
+				Height: height,
+				// #nosec G115 index always positive
+				TxIndex: uint32(txIndex),
+				// #nosec G115 index always positive
 				MsgIndex:   uint32(msgIndex),
 				EthTxIndex: ethTxIndex,
 			}
@@ -180,7 +182,9 @@ func TxHashKey(hash common.Hash) []byte {
 
 // TxIndexKey returns the key for db entry: `(block number, tx index) -> tx hash`
 func TxIndexKey(blockNumber int64, txIndex int32) []byte {
+	// #nosec G115 block number always positive
 	bz1 := sdk.Uint64ToBigEndian(uint64(blockNumber))
+	// #nosec G115 index always positive
 	bz2 := sdk.Uint64ToBigEndian(uint64(txIndex))
 	return append(append([]byte{KeyPrefixTxIndex}, bz1...), bz2...)
 }
@@ -241,5 +245,6 @@ func parseBlockNumberFromKey(key []byte) (int64, error) {
 		return 0, fmt.Errorf("wrong tx index key length, expect: %d, got: %d", TxIndexKeyLength, len(key))
 	}
 
+	// #nosec G115 block number always in range
 	return int64(sdk.BigEndianToUint64(key[1:9])), nil
 }

rpc/backend/account_info.go

@@ -77,6 +77,7 @@ func (b *Backend) GetProof(address common.Address, storageKeys []string, blockNr
 			return nil, fmt.Errorf("not able to query block number greater than MaxInt64")
 		}
 
+		// #nosec G115 block number always in range
 		height = int64(bn)
 	}
 
@@ -195,6 +196,7 @@ func (b *Backend) GetTransactionCount(address common.Address, blockNum rpctypes.
 		return &n, err
 	}
 	height := blockNum.Int64()
+	// #nosec G115 block number always in range
 	currentHeight := int64(bn)
 	if height > currentHeight {
 		return &n, errorsmod.Wrapf(

rpc/backend/blocks.go

@@ -179,6 +179,7 @@ func (b *Backend) TendermintBlockByNumber(blockNum rpctypes.BlockNumber) (*tmrpc
 		if err != nil {
 			return nil, err
 		}
+		// #nosec G115 always in range
 		height = int64(n)
 	}
 	resBlock, err := b.clientCtx.Client.Block(b.ctx, &height)
@@ -401,7 +402,9 @@ func (b *Backend) RPCBlockFromTendermintBlock(
 		rpcTx, err := rpctypes.NewRPCTransaction(
 			tx,
 			common.BytesToHash(block.Hash()),
+			// #nosec G115 block height always positive
 			uint64(block.Height),
+			// #nosec G115 txIndex always positive
 			uint64(txIndex),
 			baseFee,
 			b.chainID,
@@ -457,6 +460,7 @@ func (b *Backend) RPCBlockFromTendermintBlock(
 			// block gas limit has exceeded, other txs must have failed with same reason.
 			break
 		}
+		// #nosec G115 gas used always positive
 		gasUsed += uint64(txsResult.GetGasUsed())
 	}
 

rpc/backend/chain_info.go

@@ -173,9 +173,11 @@ func (b *Backend) FeeHistory(
 		if err != nil {
 			return nil, err
 		}
+		// #nosec G115 block number always in range
 		blockEnd = int64(blockNumber)
 	}
 
+	// #nosec G115 not security relevant
 	blocks := int64(userBlockCount)
 	maxBlockCount := int64(b.cfg.JSONRPC.FeeHistoryCap)
 	if blocks > maxBlockCount {
@@ -204,6 +206,7 @@ func (b *Backend) FeeHistory(
 
 	// fetch block
 	for blockID := blockStart; blockID <= blockEnd; blockID++ {
+		// #nosec G115 out of range would just result in confusing output
 		index := int32(blockID - blockStart)
 		// tendermint block
 		tendermintblock, err := b.TendermintBlockByNumber(rpctypes.BlockNumber(blockID))

rpc/backend/node_info.go

@@ -80,8 +80,10 @@ func (b *Backend) Syncing() (interface{}, error) {
 	}
 
 	return map[string]interface{}{
+		// #nosec G115 block height always positive
 		"startingBlock": hexutil.Uint64(status.SyncInfo.EarliestBlockHeight),
-		"currentBlock":  hexutil.Uint64(status.SyncInfo.LatestBlockHeight),
+		// #nosec G115 block height always positive
+		"currentBlock": hexutil.Uint64(status.SyncInfo.LatestBlockHeight),
 		// "highestBlock":  nil, // NA
 		// "pulledStates":  nil, // NA
 		// "knownStates":   nil, // NA

rpc/backend/tracing.go

@@ -50,6 +50,7 @@ func (b *Backend) TraceTransaction(hash common.Hash, config *evmtypes.TraceConfi
 	}
 
 	// check tx index is not out of bound
+	// #nosec G115 len() is always >= 0
 	if uint32(len(blk.Block.Txs)) < transaction.TxIndex {
 		b.logger.Debug("tx index out of bounds", "index", transaction.TxIndex, "hash", hash.String(), "height", blk.Block.Height)
 		return nil, fmt.Errorf("transaction not included in block %v", blk.Block.Height)

rpc/backend/tx_info.go

@@ -69,6 +69,7 @@ func (b *Backend) GetTransactionByHash(txHash common.Hash) (*rpctypes.RPCTransac
 		msgs := b.EthMsgsFromTendermintBlock(block, blockRes)
 		for i := range msgs {
 			if msgs[i].Hash == hexTx {
+				// #nosec G115 block size limit prevents out of range
 				res.EthTxIndex = int32(i)
 				break
 			}
@@ -88,7 +89,9 @@ func (b *Backend) GetTransactionByHash(txHash common.Hash) (*rpctypes.RPCTransac
 	return rpctypes.NewTransactionFromMsg(
 		msg,
 		common.BytesToHash(block.BlockID.Hash.Bytes()),
+		// #nosec G115 height always in range
 		uint64(res.Height),
+		// #nosec G115 index always positive
 		uint64(res.EthTxIndex),
 		baseFee,
 		b.chainID,
@@ -179,6 +182,7 @@ func (b *Backend) GetTransactionReceipt(hash common.Hash) (map[string]interface{
 		return nil, nil
 	}
 	for _, txResult := range blockRes.TxsResults[0:res.TxIndex] {
+		// #nosec G115 txResult.GasUsed always positive
 		cumulativeGasUsed += uint64(txResult.GasUsed)
 	}
 	cumulativeGasUsed += res.CumulativeGasUsed
@@ -210,6 +214,7 @@ func (b *Backend) GetTransactionReceipt(hash common.Hash) (map[string]interface{
 		msgs := b.EthMsgsFromTendermintBlock(resBlock, blockRes)
 		for i := range msgs {
 			if msgs[i].Hash == hexTx {
+				// #nosec G115 block size limit prevents out of range
 				res.EthTxIndex = int32(i)
 				break
 			}
@@ -235,8 +240,10 @@ func (b *Backend) GetTransactionReceipt(hash common.Hash) (map[string]interface{
 
 		// Inclusion information: These fields provide information about the inclusion of the
 		// transaction corresponding to this receipt.
-		"blockHash":        common.BytesToHash(resBlock.Block.Header.Hash()).Hex(),
-		"blockNumber":      hexutil.Uint64(res.Height),
+		"blockHash": common.BytesToHash(resBlock.Block.Header.Hash()).Hex(),
+		// #nosec G115 height always positive
+		"blockNumber": hexutil.Uint64(res.Height),
+		// #nosec G115 index always positive
 		"transactionIndex": hexutil.Uint64(res.EthTxIndex),
 
 		// sender and receiver (contract or EOA) addreses
@@ -330,6 +337,7 @@ func (b *Backend) GetTxByEthHash(hash common.Hash) (*ethermint.TxResult, error)
 // GetTxByTxIndex uses `/tx_query` to find transaction by tx index of valid ethereum txs
 func (b *Backend) GetTxByTxIndex(height int64, index uint) (*ethermint.TxResult, error) {
 	if b.indexer != nil {
+		// #nosec G115 not security relevant
 		return b.indexer.GetByBlockAndIndex(height, int32(index))
 	}
 
@@ -339,6 +347,7 @@ func (b *Backend) GetTxByTxIndex(height int64, index uint) (*ethermint.TxResult,
 		evmtypes.AttributeKeyTxIndex, index,
 	)
 	txResult, err := b.queryTendermintTxIndexer(query, func(txs *rpctypes.ParsedTxs) *rpctypes.ParsedTx {
+		// #nosec G115 out of range would just result in confusing output
 		return txs.GetTxByTxIndex(int(index))
 	})
 	if err != nil {
@@ -398,6 +407,7 @@ func (b *Backend) GetTransactionByBlockAndIndex(block *tmrpctypes.ResultBlock, i
 			return nil, nil
 		}
 	} else {
+		// #nosec G115 out of range would just result in confusing output
 		i := int(idx)
 		ethMsgs := b.EthMsgsFromTendermintBlock(block, blockRes)
 		if i >= len(ethMsgs) {
@@ -417,6 +427,7 @@ func (b *Backend) GetTransactionByBlockAndIndex(block *tmrpctypes.ResultBlock, i
 	return rpctypes.NewTransactionFromMsg(
 		msg,
 		common.BytesToHash(block.Block.Hash()),
+		// #nosec G115 block height always in range
 		uint64(block.Block.Height),
 		uint64(idx),
 		baseFee,

rpc/backend/utils.go

@@ -181,6 +181,7 @@ func (b *Backend) processBlock(
 			b.logger.Debug("failed to decode transaction in block", "height", blockHeight, "error", err.Error())
 			continue
 		}
+		// #nosec G115 gas used always positive
 		txGasUsed := uint64(eachTendermintTxResult.GasUsed)
 		for _, msg := range tx.GetMsgs() {
 			ethMsg, ok := msg.(*evmtypes.MsgEthereumTx)

rpc/namespaces/ethereum/debug/api.go

@@ -123,6 +123,7 @@ func (a *API) BlockProfile(file string, nsec uint) error {
 	runtime.SetBlockProfileRate(1)
 	defer runtime.SetBlockProfileRate(0)
 
+	// #nosec G115 out of range would just result in confusing output
 	time.Sleep(time.Duration(nsec) * time.Second)
 	return writeProfile("block", file, a.logger)
 }
@@ -134,6 +135,7 @@ func (a *API) CpuProfile(file string, nsec uint) error { //nolint: golint, style
 	if err := a.StartCPUProfile(file); err != nil {
 		return err
 	}
+	// #nosec G115 out of range would just result in confusing output
 	time.Sleep(time.Duration(nsec) * time.Second)
 	return a.StopCPUProfile()
 }
@@ -153,6 +155,7 @@ func (a *API) GoTrace(file string, nsec uint) error {
 	if err := a.StartGoTrace(file); err != nil {
 		return err
 	}
+	// #nosec G115 out of range would just result in confusing output
 	time.Sleep(time.Duration(nsec) * time.Second)
 	return a.StopGoTrace()
 }
@@ -269,6 +272,7 @@ func (a *API) WriteMemProfile(file string) error {
 func (a *API) MutexProfile(file string, nsec uint) error {
 	a.logger.Debug("debug_mutexProfile", "file", file, "nsec", nsec)
 	runtime.SetMutexProfileFraction(1)
+	// #nosec G115 out of range would only result in confusing output
 	time.Sleep(time.Duration(nsec) * time.Second)
 	defer runtime.SetMutexProfileFraction(0)
 	return writeProfile("mutex", file, a.logger)
@@ -301,6 +305,7 @@ func (a *API) SetGCPercent(v int) int {
 
 // GetHeaderRlp retrieves the RLP encoded for of a single header.
 func (a *API) GetHeaderRlp(number uint64) (hexutil.Bytes, error) {
+	// #nosec G115 out of range would only result in confusing output
 	header, err := a.backend.HeaderByNumber(rpctypes.BlockNumber(number))
 	if err != nil {
 		return nil, err
@@ -311,6 +316,7 @@ func (a *API) GetHeaderRlp(number uint64) (hexutil.Bytes, error) {
 
 // GetBlockRlp retrieves the RLP encoded for of a single block.
 func (a *API) GetBlockRlp(number uint64) (hexutil.Bytes, error) {
+	// #nosec G115 out of range would only result in confusing output
 	block, err := a.backend.EthBlockByNumber(rpctypes.BlockNumber(number))
 	if err != nil {
 		return nil, err
@@ -321,6 +327,7 @@ func (a *API) GetBlockRlp(number uint64) (hexutil.Bytes, error) {
 
 // PrintBlock retrieves a block and returns its pretty printed form.
 func (a *API) PrintBlock(number uint64) (string, error) {
+	// #nosec G115 out of range would only result in confusing output
 	block, err := a.backend.EthBlockByNumber(rpctypes.BlockNumber(number))
 	if err != nil {
 		return "", err

rpc/types/events.go

@@ -17,6 +17,7 @@ package types
 
 import (
 	"fmt"
+	"math"
 	"strconv"
 
 	abci "github.com/cometbft/cometbft/abci/types"
@@ -135,6 +136,7 @@ func ParseTxResult(result *abci.ResponseDeliverTx, tx sdk.Tx) (*ParsedTxs, error
 
 	// some old versions miss some events, fill it with tx result
 	if len(p.Txs) == 1 {
+		// #nosec G115 result.GasUsed always positive
 		p.Txs[0].GasUsed = uint64(result.GasUsed)
 	}
 
@@ -164,8 +166,9 @@ func ParseTxIndexerResult(txResult *tmrpctypes.ResultTx, tx sdk.Tx, getter func(
 	}
 
 	return &ethermint.TxResult{
-		Height:            txResult.Height,
-		TxIndex:           txResult.Index,
+		Height:  txResult.Height,
+		TxIndex: txResult.Index,
+		// #nosec G115 parsedTx.MsgIndex always positive
 		MsgIndex:          uint32(parsedTx.MsgIndex),
 		EthTxIndex:        parsedTx.EthTxIndex,
 		Failed:            parsedTx.Failed,
@@ -251,6 +254,10 @@ func fillTxAttribute(tx *ParsedTx, key []byte, value []byte) error {
 		if err != nil {
 			return err
 		}
+		if txIndex > math.MaxInt32 {
+			return fmt.Errorf("%s exceeds int32 range", value)
+		}
+		// #nosec G115 range checked
 		tx.EthTxIndex = int32(txIndex)
 	case evmtypes.AttributeKeyTxGasUsed:
 		gasUsed, err := strconv.ParseUint(string(value), 10, 64)