Compare commits

...

13 commits

Author SHA1 Message Date
f9859799b2
Merge pull request #195 from step-security-bot/stepsecurity_remediation_1711216890
[StepSecurity] ci: Harden GitHub Actions
2024-03-23 19:06:20 +01:00
StepSecurity Bot
d87e2205d6
[StepSecurity] ci: Harden GitHub Actions
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2024-03-23 18:01:31 +00:00
25ee875300
"Add Govulncheck Security Scan workflow"
A new GitHub Actions workflow for Govulncheck Security Scan has been added. This workflow gets activated on every push or pull request and includes runner hardening and executing 'govulncheck' to identify potential vulnerabilities.
2024-03-23 18:59:10 +01:00
4aeeca5a82
Merge pull request #194 from wneessen/OpenSSF-badge
Add OpenSSF Best Practices badge to README.md
2024-03-23 17:34:47 +01:00
0dc449f582
Add OpenSSF Best Practices badge to README.md
An OpenSSF Best Practices badge was added to the README file. This badge reflects adherence to critical open source software security practices.
2024-03-23 17:28:04 +01:00
11258613d5
Merge pull request #193 from wneessen/implement_fuzzing
Implement fuzzing
2024-03-23 16:52:01 +01:00
a4918210f1
Update Base64LineBreaker fuzzing tests in b64linebreaker_test.go
Updated the fuzzing tests in the `Base64LineBreaker_Write` function. The change specifically converts integer bytes from decimal to octal. This ensures proper testing of a wider range of input scenarios, increasing the reliability and robustness of the code.
2024-03-23 16:51:18 +01:00
dae7d80759
Add fuzzing tests for subject and from fields in msg_test.go
Included two new fuzzing tests for 'Subject' and 'From' to increase code coverage and reliability. These tests expand our checking strategy by using dynamic inputs and making sure no unexpected errors occur when dealing with a variety of possible input scenarios.
2024-03-23 16:46:21 +01:00
91a3fc5261
Ignore testdata in Git
Added 'testdata' to .gitignore file. This ensures that any files or folders named 'testdata', which are most likely used for local testing, will not be tracked by Git allowing for a cleaner working directory.
2024-03-23 16:36:01 +01:00
821ee0a9e1
Update Base64LineBreaker_Write testing
Enhanced testing for the Base64LineBreaker_Write function by adding a fuzz test. This additional fuzz test provides the function with a variety of random byte inputs as a way of uncovering any hidden errors and contributing to more reliable coding.
2024-03-23 16:35:32 +01:00
280f85abd1
Add fuzz testing to Base64LineBreaker_Write function
The update enhances testing for the Base64LineBreaker_Write function by creating a fuzz test. This new fuzz test feeds the function with a wide range of random byte inputs to improve the detection of hidden anomalies and help ensure more robust code.
2024-03-23 16:14:07 +01:00
932ac2be48
Merge pull request #192 from wneessen/fix_token_perms
Add read permissions to GitHub workflow files
2024-03-23 15:52:26 +01:00
c78388a2cb
Add read permissions to GitHub workflow files
This commit adds read permissions for 'contents' in the GitHub workflow files sonarqube.yml and reuse.yml. This allows these specific workflows to access the relevant contents they need for execution.
2024-03-23 15:49:03 +01:00
7 changed files with 78 additions and 1 deletions

21
.github/workflows/govulncheck.yml vendored Normal file
View file

@ -0,0 +1,21 @@
# SPDX-FileCopyrightText: 2022 Winni Neessen <winni@neessen.dev>
#
# SPDX-License-Identifier: CC0-1.0
name: Govulncheck Security Scan
on: [push, pull_request]
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: Run govulncheck
uses: golang/govulncheck-action@3a32958c2706f7048305d5a2e53633d7e37e97d0 # v1.0.2

View file

@ -6,6 +6,9 @@ name: REUSE Compliance Check
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest

View file

@ -3,6 +3,10 @@
# SPDX-License-Identifier: CC0-1.0 # SPDX-License-Identifier: CC0-1.0
name: SonarQube name: SonarQube
permissions:
contents: read
on: on:
push: push:
branches: branches:

2
.gitignore vendored
View file

@ -55,3 +55,5 @@ com_crashlytics_export_strings.xml
crashlytics.properties crashlytics.properties
crashlytics-build.properties crashlytics-build.properties
fabric.properties fabric.properties
testdata

View file

@ -12,6 +12,7 @@ SPDX-License-Identifier: CC0-1.0
[![Mentioned in Awesome Go](https://awesome.re/mentioned-badge-flat.svg)](https://github.com/avelino/awesome-go) [![Mentioned in Awesome Go](https://awesome.re/mentioned-badge-flat.svg)](https://github.com/avelino/awesome-go)
[![#go-mail on Discord](https://img.shields.io/badge/Discord-%23go%E2%80%93mail-blue.svg)](https://discord.gg/ysQXkaccXk) [![#go-mail on Discord](https://img.shields.io/badge/Discord-%23go%E2%80%93mail-blue.svg)](https://discord.gg/ysQXkaccXk)
[![REUSE status](https://api.reuse.software/badge/github.com/wneessen/go-mail)](https://api.reuse.software/info/github.com/wneessen/go-mail) [![REUSE status](https://api.reuse.software/badge/github.com/wneessen/go-mail)](https://api.reuse.software/info/github.com/wneessen/go-mail)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8701/badge)](https://www.bestpractices.dev/projects/8701)
<a href="https://ko-fi.com/D1D24V9IX"><img src="https://uploads-ssl.webflow.com/5c14e387dab576fe667689cf/5cbed8a4ae2b88347c06c923_BuyMeACoffee_blue.png" height="20" alt="buy ma a coffee"></a> <a href="https://ko-fi.com/D1D24V9IX"><img src="https://uploads-ssl.webflow.com/5c14e387dab576fe667689cf/5cbed8a4ae2b88347c06c923_BuyMeACoffee_blue.png" height="20" alt="buy ma a coffee"></a>
<p align="center"><img src="./assets/gopher2.svg" width="250" alt="go-mail logo"/></p> <p align="center"><img src="./assets/gopher2.svg" width="250" alt="go-mail logo"/></p>

View file

@ -5,6 +5,7 @@
package mail package mail
import ( import (
"bufio"
"bytes" "bytes"
"encoding/base64" "encoding/base64"
"fmt" "fmt"
@ -461,3 +462,20 @@ func (e errorWriter) Write([]byte) (int, error) {
func (e errorWriter) Close() error { func (e errorWriter) Close() error {
return fmt.Errorf("supposed to always fail") return fmt.Errorf("supposed to always fail")
} }
func FuzzBase64LineBreaker_Write(f *testing.F) {
f.Add([]byte("abc"))
f.Add([]byte("def"))
f.Add([]uint8{0o0, 0o1, 0o2, 30, 255})
buf := bytes.Buffer{}
bw := bufio.NewWriter(&buf)
f.Fuzz(func(t *testing.T, data []byte) {
b := &Base64LineBreaker{out: bw}
if _, err := b.Write(data); err != nil {
t.Errorf("failed to write to B64LineBreaker: %s", err)
}
if err := b.Close(); err != nil {
t.Errorf("failed to close B64LineBreaker: %s", err)
}
})
}

View file

@ -3219,3 +3219,31 @@ func TestNewMsgWithNoDefaultUserAgent(t *testing.T) {
t.Errorf("WithNoDefaultUserAgent() failed. Expected: %t, got: %t", true, false) t.Errorf("WithNoDefaultUserAgent() failed. Expected: %t, got: %t", true, false)
} }
} }
// Fuzzing tests
func FuzzMsg_Subject(f *testing.F) {
f.Add("Testsubject")
f.Add("")
f.Add("This is a longer test subject.")
f.Add("Let's add some umlauts: üäöß")
f.Add("Or even emojis: ☝️💪👍")
f.Fuzz(func(t *testing.T, data string) {
m := NewMsg()
m.Subject(data)
m.Reset()
})
}
func FuzzMsg_From(f *testing.F) {
f.Add("Toni Tester <toni@tester.com>")
f.Add("<tester@example.com>")
f.Add("mail@server.com")
f.Fuzz(func(t *testing.T, data string) {
m := NewMsg()
if err := m.From(data); err != nil &&
!strings.Contains(err.Error(), "failed to parse mail address") {
t.Errorf("failed set set FROM address: %s", err)
}
m.Reset()
})
}