Address the final 3 CodeQL security alerts for 'Insecure TLS configuration':
**Root Cause**:
CodeQL detected that setting or
would result in , which is insecure
(TLS version 0).
**Security Fix**:
- When or is specified, don't set
the TLS version at all - let Go use its secure defaults
- Only set explicit TLS versions when they are >= TLS 1.2 (secure)
- Applied fix consistently across all client types
**Files Fixed**:
- options.go (lines 609, 620) - Single client
- osscluster.go (lines 336, 350) - Cluster client
- sentinel.go (lines 446, 460) - Sentinel client
**Security Behavior**:
- → Don't set MinVersion (Go default: secure)
- → Error: insecure, minimum TLS 1.2 required
- → Set explicit secure version
- Same logic applies to
**Test Coverage**:
- Added test case for behavior
- Verified all security validation tests pass
- Confirmed no regression in functionality
This resolves all remaining CodeQL security alerts while maintaining
secure defaults and clear error messages for insecure configurations.
Building on Ben Weissmann's original implementation, this commit adds:
- Snake_case parameter names (addressing reviewer feedback):
* tls_cert_file and tls_key_file (instead of TLSCertPEMFile/TLSKeyPEMFile)
* tls_min_version and tls_max_version (instead of TLSMinVersion/TLSMaxVersion)
* tls_server_name (instead of ServerName)
- Improved error messages for better user experience
- Updated test cases to use snake_case parameters
- Removed redundant tls_insecure_skip_verify (use existing skip_verify)
- Enhanced documentation with clear parameter descriptions
This addresses all reviewer feedback from PR #2076 while maintaining
the core functionality and comprehensive test coverage.
* chore: set the default value for the `options.protocol` in the `init()` of `options`
Signed-off-by: fukua95 <fukua95@gmail.com>
* add a test
Signed-off-by: fukua95 <fukua95@gmail.com>
---------
Signed-off-by: fukua95 <fukua95@gmail.com>
* run go fix ./...
Signed-off-by: Tiago Peczenyj <tpeczenyj@weborama.com>
* run make fmt
Signed-off-by: Tiago Peczenyj <tpeczenyj@weborama.com>
* fix go vet ./... issues
* Update README.md
Reorder imports with the rules defined in the Makefile
as if we run `make fmt`
* run gofumpt -w .
* update Makefile to use gofumpt instead gofmt
* increment makefile
* format test
* format tests
Signed-off-by: Tiago Peczenyj <tpeczenyj@weborama.com>
---------
Signed-off-by: Tiago Peczenyj <tpeczenyj@weborama.com>
Co-authored-by: ofekshenawa <104765379+ofekshenawa@users.noreply.github.com>
Before this change, ParseURL would only accept a very restricted
set of URLs (it returned an error, if it encountered any parameter).
This commit introduces the ability to process URLs like
redis://localhost/1?dial_timeout=10s
and similar.
Go programs which were providing a configuration tunable (e.g.
CLI flag, config entry or environment variable) to configure
the Redis connection now don't need to perform this task
themselves.
This is in preparation for supporting query parameters
in ParseURL:
- use an expected *Options instance to execute assertions on
- extract assertions into helper function
- enable parallel testing
- condense test table
