Fix all gosec linter warnings (#43)

Author: JamieMagee

internal/apiclient/client_test.go

@@ -25,7 +25,7 @@ import (
 
 const (
 	jobID    = "1234"
-	jobToken = "hey-dependabot-api-its-me-ur-brother"
+	jobToken = "hey-dependabot-api-its-me-ur-brother" //nolint:gosec // test credential
 )
 
 func TestClient_ReportMetrics_Success(t *testing.T) {

internal/cache/handlers.go

@@ -125,7 +125,7 @@ func New(enabled bool, cacheDir string) (*DB, error) {
 	if !enabled {
 		return nil, nil
 	}
-	if err := os.Mkdir(cacheDir, 0755); err != nil && !os.IsExist(err) {
+	if err := os.Mkdir(cacheDir, 0750); err != nil && !os.IsExist(err) {
 		cacheDir = filepath.Join(os.TempDir(), "cache")
 	}
 	db := &DB{
@@ -134,7 +134,7 @@ func New(enabled bool, cacheDir string) (*DB, error) {
 	}
 
 	// attempt to load pre-existing DB
-	f, err := os.Open(filepath.Join(cacheDir, "db.yaml"))
+	f, err := os.Open(filepath.Clean(filepath.Join(cacheDir, "db.yaml")))
 	if err != nil {
 		return db, nil
 	}
@@ -225,7 +225,7 @@ func (d *DB) OnResponse(resp *http.Response, ctx *goproxy.ProxyCtx) *http.Respon
 	}
 
 	fileName := fmt.Sprintf("%06d-%v", d.nextNumber(), sanitize(resp.Request.Host))
-	f, err := os.Create(filepath.Join(d.cacheDir, fileName))
+	f, err := os.Create(filepath.Clean(filepath.Join(d.cacheDir, fileName)))
 	if err != nil {
 		logrus.Warnln("Failed to write to cache:", err.Error())
 		return resp
@@ -276,7 +276,7 @@ func (d *DB) WriteToDisk() error {
 	d.Lock()
 	defer d.Unlock()
 
-	f, err := os.Create(filepath.Join(d.cacheDir, "db.yaml"))
+	f, err := os.Create(filepath.Clean(filepath.Join(d.cacheDir, "db.yaml")))
 	if err != nil {
 		logrus.Errorln("Failed to create db file:", err.Error())
 		return err

internal/config/config.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"net/url"
 	"os"
+	"path/filepath"
 	"strings"
 )
 
@@ -96,7 +97,7 @@ func Parse(path string) (*Config, error) {
 		reader = os.Stdin
 	} else {
 		var err error
-		reader, err = os.Open(path)
+		reader, err = os.Open(filepath.Clean(path))
 		if err != nil {
 			return nil, err
 		}

internal/config/config_test.go

@@ -35,7 +35,7 @@ func TestParse(t *testing.T) {
 				} else {
 					configPath = path.Join(temp, fname)
 					d1 := []byte(tc.input)
-					err := os.WriteFile(configPath, d1, 0644)
+					err := os.WriteFile(configPath, d1, 0600)
 					require.NoError(t, err)
 				}
 

internal/handlers/cargo_registry_test.go

@@ -14,9 +14,9 @@ func TestCargoRegistryHandler(t *testing.T) {
 	validURLWithPathBase := "https://valid-url-path.example.com"
 	validURLWithPath := validURLWithPathBase + "/path"
 	invalidURL := "asdf"
-	noTokenURL := "https://no-token.example.com"
+	noTokenURL := "https://no-token.example.com" //nolint:gosec // test URL, not a credential
 
-	token := "Bearer abc123"
+	token := "Bearer abc123" //nolint:gosec // test credential
 
 	credentials := config.Credentials{
 		config.Credential{

internal/handlers/git_server_test.go

@@ -132,7 +132,7 @@ func TestGitServerHandler_AuthenticatedAccessToGitHubRepos(t *testing.T) {
 	installationToken2 := "v1.token2"
 	privateRepo2Cred := testGitSourceCred("github.com", "x-access-token", installationToken2, withAccessibleRepos([]string{"github/private-repo-2"}))
 
-	userToken := "ghp_fakefakefakesuperfake1"
+	userToken := "ghp_fakefakefakesuperfake1" //nolint:gosec // test credential
 	privateRepo3Cred := testGitSourceCred("github.com", "x-access-token", userToken, withAccessibleRepos([]string{"github/private-repo-3"}))
 
 	tests := []struct {
@@ -246,8 +246,8 @@ func TestGitServerHandlerNoRetry(t *testing.T) {
 
 func TestGitServerHandler_TokenFallback(t *testing.T) {
 	installationToken := "v1.token"
-	userToken1 := "ghp_fakefakefakesuperfake1"
-	userToken2 := "ghp_fakefakefakesuperfake2"
+	userToken1 := "ghp_fakefakefakesuperfake1" //nolint:gosec // test credential
+	userToken2 := "ghp_fakefakefakesuperfake2" //nolint:gosec // test credential
 	credentials := config.Credentials{
 		testGitSourceCred("github.com", "x-access-token", installationToken),
 		testGitSourceCred("github.com", "x-access-token", userToken1),
@@ -347,7 +347,7 @@ func TestGitServerHandler_TokenFallback(t *testing.T) {
 
 func TestGitServerHandler_TokenFallbackWithPost(t *testing.T) {
 	installationToken := "v1.token"
-	userToken := "ghp_fakefakefakesuperfake"
+	userToken := "ghp_fakefakefakesuperfake" //nolint:gosec // test credential
 	credentials := config.Credentials{
 		testGitSourceCred("github.com", "x-access-token", installationToken),
 		testGitSourceCred("github.com", "x-access-token", userToken),

internal/handlers/github_api_test.go

@@ -111,7 +111,7 @@ func TestGitHubAPIHandler_AuthenticatedAccessToGitHubRepos(t *testing.T) {
 	installationToken2 := "v1.token2"
 	privateRepo2Cred := testGitSourceCred("github.com", "x-access-token", installationToken2, withAccessibleRepos([]string{"github/private-repo-2"}))
 
-	userToken := "ghp_fakefakefakesuperfake1"
+	userToken := "ghp_fakefakefakesuperfake1" //nolint:gosec // test credential
 	privateRepo3Cred := testGitSourceCred("github.com", "x-access-token", userToken, withAccessibleRepos([]string{"github/private-repo-3"}))
 
 	tests := []struct {
@@ -312,8 +312,8 @@ func TestGitHubAPIHandler_TokenFallback(t *testing.T) {
 	installationToken1 := "v1.token1"
 	installationToken2 := "v1.token2"
 	installationToken3 := "v1.token3"
-	userToken1 := "ghp_fakefakefakesuperfake1"
-	userToken2 := "ghp_fakefakefakesuperfake2"
+	userToken1 := "ghp_fakefakefakesuperfake1" //nolint:gosec // test credential
+	userToken2 := "ghp_fakefakefakesuperfake2" //nolint:gosec // test credential
 	credentials := config.Credentials{
 		testGitSourceCred("github.com", "x-access-token", installationToken1),
 		testGitSourceCred("github.com", "x-access-token", installationToken2, withAccessibleRepos([]string{"foo/qux"})),
@@ -430,8 +430,8 @@ func TestGitHubAPIHandler_TokenFallback(t *testing.T) {
 
 func TestGitHubAPIHandler_TokenFallback_In_Proxima(t *testing.T) {
 	installationToken := "v1.token"
-	userToken1 := "ghp_fakefakefakesuperfake1"
-	userToken2 := "ghp_fakefakefakesuperfake2"
+	userToken1 := "ghp_fakefakefakesuperfake1" //nolint:gosec // test credential
+	userToken2 := "ghp_fakefakefakesuperfake2" //nolint:gosec // test credential
 	credentials := config.Credentials{
 		testGitSourceCred("foo.ghe.com", "x-access-token", installationToken),
 		testGitSourceCred("foo.ghe.com", "x-access-token", userToken1),

internal/handlers/oidc_handling_test.go

@@ -1001,7 +1001,7 @@ func TestOIDCURLsAreAuthenticated(t *testing.T) {
 			}
 
 			// mock GitHub OIDC token request
-			tokenUrl := "https://token.actions.example.com"
+			tokenUrl := "https://token.actions.example.com" //nolint:gosec // test URL
 			httpmock.RegisterResponder("GET", tokenUrl,
 				httpmock.NewStringResponder(200, `{
 				"count": 1,

internal/handlers/pub_repository_test.go

@@ -14,9 +14,9 @@ func TestPubRepositoryHandler(t *testing.T) {
 	validURLWithPathBase := "https://valid-url-path.example.com"
 	validURLWithPath := validURLWithPathBase + "/path"
 	invalidURL := "asdf"
-	noTokenURL := "https://no-token.example.com"
+	noTokenURL := "https://no-token.example.com" //nolint:gosec // test URL, not a credential
 
-	token := "abc123"
+	token := "abc123" //nolint:gosec // test credential
 
 	credentials := config.Credentials{
 		config.Credential{

internal/handlers/python_index_test.go

@@ -9,8 +9,8 @@ import (
 )
 
 func TestPythonIndexHandler(t *testing.T) {
-	dependabotToken := "123"
-	dependabotSecToken := "dependabot:sec123"
+	dependabotToken := "123"                  //nolint:gosec // test credential
+	dependabotSecToken := "dependabot:sec123" //nolint:gosec // test credential
 	simpleSecToken := "simple:sec245"
 	deltaForceUser := "some-user"
 	deltaForcePassword := "456"