lint: enable bodyclose (ensure response bodies are closed to avoid leaks) (#4200)

Author: mmetc

.golangci.yml

@@ -522,11 +522,6 @@ linters:
           - govet
         text: 'shadow: declaration of "(err|ctx)" shadows declaration'
 
-      # https://github.com/timakin/bodyclose
-      - linters:
-          - bodyclose
-        text: response body must be closed
-
       - linters:
           - revive
         path: pkg/leakybucket/manager_load.go

cmd/crowdsec-cli/core/require/branch.go

@@ -56,6 +56,7 @@ func lookupLatest(ctx context.Context) (string, error) {
 	if err != nil {
 		return "", err
 	}
+	defer resp.Body.Close()
 
 	latest := make(map[string]any)
 

cmd/notification-splunk/main.go

@@ -75,6 +75,7 @@ func (s *Splunk) Notify(ctx context.Context, notification *protobufs.Notificatio
 	if err != nil {
 		return &protobufs.Empty{}, err
 	}
+	defer resp.Body.Close()
 
 	if resp.StatusCode != http.StatusOK {
 		content, err := io.ReadAll(resp.Body)

pkg/acquisition/modules/http/http_test.go

@@ -31,6 +31,14 @@ const (
 	testHTTPServerAddrTLS = "https://127.0.0.1:8080"
 )
 
+func closeBody(t *testing.T, resp *http.Response) {
+	t.Helper()
+
+	if resp != nil && resp.Body != nil {
+		_ = resp.Body.Close()
+	}
+}
+
 func TestGetUuid(t *testing.T) {
 	h := Source{}
 	h.Config.UniqueId = "test"
@@ -94,6 +102,7 @@ basic_auth:
 	res, err := http.DefaultClient.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusMethodNotAllowed, res.StatusCode)
+	closeBody(t, res)
 
 	// Check that GET/HEAD requests return a 200
 
@@ -103,13 +112,15 @@ basic_auth:
 	res, err = http.DefaultClient.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, res.StatusCode)
+	closeBody(t, res)
 
 	req, err = http.NewRequestWithContext(ctx, http.MethodHead, testHTTPServerAddr+"/test", http.NoBody)
 	require.NoError(t, err)
 	req.SetBasicAuth("test", "test")
 	res, err = http.DefaultClient.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, res.StatusCode)
+	closeBody(t, res)
 
 	h.Server.Close()
 	tomb.Kill(nil)
@@ -138,6 +149,7 @@ basic_auth:
 	res, err := http.DefaultClient.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusNotFound, res.StatusCode)
+	closeBody(t, res)
 
 	h.Server.Close()
 	tomb.Kill(nil)
@@ -168,6 +180,7 @@ basic_auth:
 	resp, err := http.DefaultClient.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	closeBody(t, resp)
 
 	req, err = http.NewRequestWithContext(ctx, http.MethodPost, testHTTPServerAddr+"/test", strings.NewReader("test"))
 	require.NoError(t, err)
@@ -176,6 +189,7 @@ basic_auth:
 	resp, err = client.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	closeBody(t, resp)
 
 	h.Server.Close()
 	tomb.Kill(nil)
@@ -205,6 +219,7 @@ headers:
 	resp, err := client.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	closeBody(t, resp)
 
 	h.Server.Close()
 	tomb.Kill(nil)
@@ -235,6 +250,7 @@ max_body_size: 5`), 0)
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusRequestEntityTooLarge, resp.StatusCode)
+	closeBody(t, resp)
 
 	h.Server.Close()
 	tomb.Kill(nil)
@@ -268,6 +284,7 @@ headers:
 	resp, err := client.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	closeBody(t, resp)
 
 	err = <-errChan
 	require.NoError(t, err)
@@ -310,6 +327,7 @@ custom_headers:
 
 	assert.Equal(t, http.StatusCreated, resp.StatusCode)
 	assert.Equal(t, "true", resp.Header.Get("Success"))
+	closeBody(t, resp)
 
 	err = <-errChan
 	require.NoError(t, err)
@@ -357,6 +375,7 @@ headers:
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	closeBody(t, resp)
 
 	err = <-errChan
 	require.NoError(t, err)
@@ -455,6 +474,7 @@ timeout: 1s`), 0)
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	closeBody(t, resp)
 
 	h.Server.Close()
 	tomb.Kill(nil)
@@ -486,6 +506,7 @@ tls:
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	closeBody(t, resp)
 
 	h.Server.Close()
 	tomb.Kill(nil)
@@ -539,6 +560,7 @@ tls:
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	closeBody(t, resp)
 
 	err = <-errChan
 	require.NoError(t, err)
@@ -599,6 +621,7 @@ tls:
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	closeBody(t, resp)
 
 	err = <-errChan
 	require.NoError(t, err)
@@ -654,6 +677,7 @@ headers:
 	require.NoError(t, err)
 
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	closeBody(t, resp)
 
 	err = <-errChan
 	require.NoError(t, err)
@@ -695,6 +719,7 @@ headers:
 	resp, err := client.Do(req)
 	require.NoError(t, err)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	closeBody(t, resp)
 
 	err = <-errChan
 	require.NoError(t, err)

pkg/acquisition/modules/loki/internal/lokiclient/loki_client.go

@@ -264,13 +264,17 @@ func (lc *LokiClient) Tail(ctx context.Context) (chan *LokiResponse, error) {
 	}
 	lc.Logger.Infof("Connecting to %s", u)
 
-	conn, _, err := dialer.Dial(u, requestHeader)
+	conn, resp, err := dialer.Dial(u, requestHeader)
+	if resp != nil && resp.Body != nil {
+		_ = resp.Body.Close()
+	}
 	if err != nil {
 		lc.Logger.Errorf("Error connecting to websocket, err: %s", err)
 		return responseChan, errors.New("error connecting to websocket")
 	}
 
 	lc.t.Go(func() error {
+		defer conn.Close()
 		for {
 			jsonResponse := &LokiResponse{}