Fix all gosec linter warnings#43
Merged
JamieMagee merged 1 commit intomainfrom Feb 10, 2026
Merged
Conversation
- Set ReadHeaderTimeout on http.Server to prevent Slowloris attacks (G112) - Set TLS MinVersion to 1.2 on tls.Config (G402) - Tighten directory permissions from 0755 to 0750 (G301) - Tighten file write permissions from 0644 to 0600 in tests (G306) - Sanitize file paths with filepath.Clean before opening (G304) - Guard uint-to-int64 conversion with overflow check (G115) - Add nolint annotations for false-positive credential detections in test data and env var constant names (G101)
There was a problem hiding this comment.
Pull request overview
This PR addresses all 27 gosec linter warnings across the codebase by implementing security hardening measures in source files and cleaning up test files.
Changes:
- Added security hardening to production code: ReadHeaderTimeout for HTTP servers, TLS 1.2 minimum version enforcement, tightened file permissions, filepath cleaning, and overflow guards for type conversions
- Updated test infrastructure with the same security settings (ReadHeaderTimeout, TLS MinVersion)
- Added nolint annotations for legitimate test fixtures flagged as hardcoded credentials
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| main.go | Added ReadHeaderTimeout to production HTTP server to prevent Slowloris attacks |
| proxy.go | Set MinVersion to TLS 1.2 in TLS client config to prevent use of insecure TLS versions |
| proxy_test.go | Added ReadHeaderTimeout to test HTTP servers and MinVersion to test TLS client config |
| internal/oidc/actions_oidc.go | Added overflow guard for uint-to-int64 conversion when computing token expiry, plus nolint annotations for false positive gosec warnings on constant strings |
| internal/config/config.go | Wrapped file path with filepath.Clean before opening to prevent path traversal |
| internal/config/config_test.go | Tightened file permissions from 0644 to 0600 for test config files |
| internal/cache/handlers.go | Tightened directory permissions from 0755 to 0750 and wrapped file paths with filepath.Clean before operations |
| logging_test.go | Wrapped os.ReadFile path with filepath.Clean |
| internal/handlers/python_index_test.go | Added nolint annotations for test credential variables |
| internal/handlers/pub_repository_test.go | Added nolint annotations for test credential variables |
| internal/handlers/oidc_handling_test.go | Added nolint annotation for test URL variable |
| internal/handlers/github_api_test.go | Added nolint annotations for test credential variables |
| internal/handlers/git_server_test.go | Added nolint annotations for test credential variables |
| internal/handlers/cargo_registry_test.go | Added nolint annotations for test credential variables |
| internal/apiclient/client_test.go | Added nolint annotation for test credential constant |
truggeri
approved these changes
Feb 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The gosec linter was reporting 27 warnings across the codebase. This PR fixes all of them.
What changed
Security hardening (source files):
main.go: AddedReadHeaderTimeoutto the HTTP server to prevent Slowloris attacks (G112)proxy.go: SetMinVersion: tls.VersionTLS12on the TLS config (G402)internal/cache/handlers.go: Tightened directory permissions from 0755 to 0750 (G301), and wrapped file paths withfilepath.Cleanbefore opening (G304)internal/config/config.go: Wrapped file path withfilepath.Cleanbefore opening (G304)internal/oidc/actions_oidc.go: Added overflow guard for uint-to-int64 conversion when computing token expiry (G115)Test file cleanup:
ReadHeaderTimeoutandMinVersionto test servers inproxy_test.go(G112, G402)WriteFilepermissions from 0644 to 0600 inconfig_test.go(G306)os.ReadFilepath withfilepath.Cleaninlogging_test.go(G304)//nolint:gosecannotations to test variables flagged as hardcoded credentials -- these are fake tokens used only in tests (G101)