diff --git a/pkg/lightning/checkpoints/checkpoints.go b/pkg/lightning/checkpoints/checkpoints.go index 47ced55db..45530c5be 100644 --- a/pkg/lightning/checkpoints/checkpoints.go +++ b/pkg/lightning/checkpoints/checkpoints.go @@ -1302,7 +1302,6 @@ func (cpdb *MySQLCheckpointsDB) GetLocalStoringTables(ctx context.Context) (map[ // 2. engine status is earlier than CheckpointStatusImported, and // 3. chunk has been read - // nolint:gosec query := fmt.Sprintf(` SELECT DISTINCT t.table_name, c.engine_id FROM %s.%s t, %s.%s c, %s.%s e @@ -1316,7 +1315,7 @@ func (cpdb *MySQLCheckpointsDB) GetLocalStoringTables(ctx context.Context) (map[ err := common.Retry("get local storing tables", log.L(), func() error { targetTables = make(map[string][]int32) - rows, err := cpdb.db.QueryContext(ctx, query) + rows, err := cpdb.db.QueryContext(ctx, query) // #nosec G201 if err != nil { return errors.Trace(err) } @@ -1388,7 +1387,7 @@ func (cpdb *MySQLCheckpointsDB) DestroyErrorCheckpoint(ctx context.Context, tabl colName = columnTableName aliasedColName = "t.table_name" } - // nolint:gosec + selectQuery := fmt.Sprintf(` SELECT t.table_name, @@ -1418,7 +1417,7 @@ func (cpdb *MySQLCheckpointsDB) DestroyErrorCheckpoint(ctx context.Context, tabl err := s.Transact(ctx, "destroy error checkpoints", func(c context.Context, tx *sql.Tx) error { // Obtain the list of tables targetTables = nil - rows, e := tx.QueryContext(c, selectQuery, tableName) + rows, e := tx.QueryContext(c, selectQuery, tableName) // #nosec G201 if e != nil { return errors.Trace(e) } diff --git a/pkg/lightning/common/security.go b/pkg/lightning/common/security.go index 08718ce1d..9db53f78a 100644 --- a/pkg/lightning/common/security.go +++ b/pkg/lightning/common/security.go @@ -72,10 +72,11 @@ func ToTLSConfig(caPath, certPath, keyPath string) (*tls.Config, error) { return nil, errors.New("failed to append ca certs") } - return &tls.Config{ // nolint:gosec + return &tls.Config{ Certificates: certificates, RootCAs: certPool, NextProtos: []string{"h2", "http/1.1"}, // specify `h2` to let Go use HTTP/2. + MinVersion: tls.VersionTLS12, }, nil } diff --git a/pkg/lightning/lightning.go b/pkg/lightning/lightning.go index 02a8ec80b..23318d4c3 100644 --- a/pkg/lightning/lightning.go +++ b/pkg/lightning/lightning.go @@ -789,11 +789,11 @@ func CleanupMetas(ctx context.Context, cfg *config.Config, tableName string) err func UnsafeCloseEngine(ctx context.Context, importer backend.Backend, engine string) (*backend.ClosedEngine, error) { if index := strings.LastIndexByte(engine, ':'); index >= 0 { tableName := engine[:index] - engineID, err := strconv.Atoi(engine[index+1:]) // nolint:gosec + engineID, err := strconv.Atoi(engine[index+1:]) if err != nil { return nil, errors.Trace(err) } - ce, err := importer.UnsafeCloseEngine(ctx, nil, tableName, int32(engineID)) + ce, err := importer.UnsafeCloseEngine(ctx, nil, tableName, int32(engineID)) // #nosec G109 return ce, errors.Trace(err) } diff --git a/pkg/lightning/restore/meta_manager.go b/pkg/lightning/restore/meta_manager.go index 58d8c5996..b0b08c905 100644 --- a/pkg/lightning/restore/meta_manager.go +++ b/pkg/lightning/restore/meta_manager.go @@ -180,8 +180,11 @@ func (m *dbTableMetaMgr) AllocTableRowIDs(ctx context.Context, rawRowIDMax int64 } needAutoID := common.TableHasAutoRowID(m.tr.tableInfo.Core) || m.tr.tableInfo.Core.GetAutoIncrementColInfo() != nil || m.tr.tableInfo.Core.ContainsAutoRandomBits() err = exec.Transact(ctx, "init table allocator base", func(ctx context.Context, tx *sql.Tx) error { - query := fmt.Sprintf("SELECT task_id, row_id_base, row_id_max, total_kvs_base, total_bytes_base, checksum_base, status from %s WHERE table_id = ? FOR UPDATE", m.tableName) // nolint:gosec - rows, err := tx.QueryContext(ctx, query, m.tr.tableInfo.ID) + rows, err := tx.QueryContext( + ctx, + fmt.Sprintf("SELECT task_id, row_id_base, row_id_max, total_kvs_base, total_bytes_base, checksum_base, status from %s WHERE table_id = ? FOR UPDATE", m.tableName), + m.tr.tableInfo.ID, + ) if err != nil { return errors.Trace(err) } @@ -282,7 +285,7 @@ func (m *dbTableMetaMgr) AllocTableRowIDs(ctx context.Context, rawRowIDMax int64 if needAutoID && newRowIDBase == 0 && newStatus < metaStatusRestoreStarted { newStatus = metaStatusRestoreStarted } - query = fmt.Sprintf("update %s set row_id_base = ?, row_id_max = ?, status = ? where table_id = ? and task_id = ?", m.tableName) + query := fmt.Sprintf("update %s set row_id_base = ?, row_id_max = ?, status = ? where table_id = ? and task_id = ?", m.tableName) _, err := tx.ExecContext(ctx, query, newRowIDBase, newRowIDMax, newStatus.String(), m.tr.tableInfo.ID, m.taskID) if err != nil { return errors.Trace(err) @@ -381,9 +384,11 @@ func (m *dbTableMetaMgr) CheckAndUpdateLocalChecksum(ctx context.Context, checks needChecksum = true needRemoteDupe = true err = exec.Transact(ctx, "checksum pre-check", func(ctx context.Context, tx *sql.Tx) error { - // nolint:gosec - query := fmt.Sprintf("SELECT task_id, total_kvs_base, total_bytes_base, checksum_base, total_kvs, total_bytes, checksum, status, has_duplicates from %s WHERE table_id = ? FOR UPDATE", m.tableName) - rows, err := tx.QueryContext(ctx, query, m.tr.tableInfo.ID) + rows, err := tx.QueryContext( + ctx, + fmt.Sprintf("SELECT task_id, total_kvs_base, total_bytes_base, checksum_base, total_kvs, total_bytes, checksum, status, has_duplicates from %s WHERE table_id = ? FOR UPDATE", m.tableName), + m.tr.tableInfo.ID, + ) if err != nil { return errors.Annotate(err, "fetch task meta failed") } @@ -449,7 +454,7 @@ func (m *dbTableMetaMgr) CheckAndUpdateLocalChecksum(ctx context.Context, checks return errors.Trace(rows.Err()) } - query = fmt.Sprintf("update %s set total_kvs = ?, total_bytes = ?, checksum = ?, status = ?, has_duplicates = ? where table_id = ? and task_id = ?", m.tableName) + query := fmt.Sprintf("update %s set total_kvs = ?, total_bytes = ?, checksum = ?, status = ?, has_duplicates = ? where table_id = ? and task_id = ?", m.tableName) _, err = tx.ExecContext(ctx, query, checksum.SumKVS(), checksum.SumSize(), checksum.Sum(), newStatus.String(), hasLocalDupes, m.tr.tableInfo.ID, m.taskID) return errors.Annotate(err, "update local checksum failed") }) @@ -594,8 +599,10 @@ func (m *dbTaskMetaMgr) CheckTaskExist(ctx context.Context) (bool, error) { // avoid override existing metadata if the meta is already inserted. exist := false err := exec.Transact(ctx, "check whether this task has started before", func(ctx context.Context, tx *sql.Tx) error { - query := fmt.Sprintf("SELECT task_id from %s WHERE task_id = %d", m.tableName, m.taskID) // nolint:gosec - rows, err := tx.QueryContext(ctx, query) + rows, err := tx.QueryContext(ctx, + fmt.Sprintf("SELECT task_id from %s WHERE task_id = ?", m.tableName), + m.taskID, + ) if err != nil { return errors.Annotate(err, "fetch task meta failed") } @@ -636,8 +643,10 @@ func (m *dbTaskMetaMgr) CheckTasksExclusively(ctx context.Context, action func(t return errors.Annotate(err, "enable pessimistic transaction failed") } return exec.Transact(ctx, "check tasks exclusively", func(ctx context.Context, tx *sql.Tx) error { - query := fmt.Sprintf("SELECT task_id, pd_cfgs, status, state, source_bytes, cluster_avail from %s FOR UPDATE", m.tableName) // nolint:gosec - rows, err := tx.QueryContext(ctx, query) + rows, err := tx.QueryContext( + ctx, + fmt.Sprintf("SELECT task_id, pd_cfgs, status, state, source_bytes, cluster_avail from %s FOR UPDATE", m.tableName), + ) if err != nil { return errors.Annotate(err, "fetch task metas failed") } @@ -696,8 +705,10 @@ func (m *dbTaskMetaMgr) CheckAndPausePdSchedulers(ctx context.Context) (pdutil.U paused := false var pausedCfg storedCfgs err = exec.Transact(ctx, "check and pause schedulers", func(ctx context.Context, tx *sql.Tx) error { - query := fmt.Sprintf("SELECT task_id, pd_cfgs, status, state from %s FOR UPDATE", m.tableName) // nolint:gosec - rows, err := tx.QueryContext(ctx, query) + rows, err := tx.QueryContext( + ctx, + fmt.Sprintf("SELECT task_id, pd_cfgs, status, state from %s FOR UPDATE", m.tableName), + ) if err != nil { return errors.Annotate(err, "fetch task meta failed") } @@ -770,7 +781,7 @@ func (m *dbTaskMetaMgr) CheckAndPausePdSchedulers(ctx context.Context) (pdutil.U return errors.Trace(err) } - query = fmt.Sprintf("update %s set pd_cfgs = ?, status = ? where task_id = ?", m.tableName) + query := fmt.Sprintf("update %s set pd_cfgs = ?, status = ? where task_id = ?", m.tableName) _, err = tx.ExecContext(ctx, query, string(jsonByts), taskMetaStatusScheduleSet.String(), m.taskID) return errors.Annotate(err, "update task pd configs failed") @@ -822,8 +833,7 @@ func (m *dbTaskMetaMgr) CheckAndFinishRestore(ctx context.Context, finished bool switchBack := true allFinished := finished err = exec.Transact(ctx, "check and finish schedulers", func(ctx context.Context, tx *sql.Tx) error { - query := fmt.Sprintf("SELECT task_id, status, state from %s FOR UPDATE", m.tableName) // nolint:gosec - rows, err := tx.QueryContext(ctx, query) + rows, err := tx.QueryContext(ctx, fmt.Sprintf("SELECT task_id, status, state from %s FOR UPDATE", m.tableName)) if err != nil { return errors.Annotate(err, "fetch task meta failed") } @@ -883,7 +893,7 @@ func (m *dbTaskMetaMgr) CheckAndFinishRestore(ctx context.Context, finished bool newStatus = taskMetaStatusSwitchSkipped } - query = fmt.Sprintf("update %s set status = ?, state = ? where task_id = ?", m.tableName) + query := fmt.Sprintf("update %s set status = ?, state = ? where task_id = ?", m.tableName) if _, err = tx.ExecContext(ctx, query, newStatus.String(), newState, m.taskID); err != nil { return errors.Trace(err) } diff --git a/pkg/utils/pprof.go b/pkg/utils/pprof.go index efa25389b..e11f2dcf0 100644 --- a/pkg/utils/pprof.go +++ b/pkg/utils/pprof.go @@ -11,7 +11,6 @@ import ( // #nosec // register HTTP handler for /debug/pprof "net/http" - _ "net/http/pprof" // nolint:gosec "github.com/pingcap/errors" "github.com/pingcap/failpoint"