johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Address gosec security warnings (bd-102)

Browse Source 
- Enable gosec linter in .golangci.yml
- Tighten file permissions: 0755→0750 for directories, 0644→0600 for configs
- Git hooks remain 0700 (executable, user-only access)
- Add #nosec comments for safe cases with justifications:
  - G204: Safe subprocess launches (git show, bd daemon)
  - G304: File inclusions with controlled paths
  - G201: SQL formatting with controlled column names
  - G115: Integer conversions with controlled values

All gosec warnings resolved (20→0). All tests passing.

Amp-Thread-ID: https://ampcode.com/threads/T-d7166b9e-cbbe-4c7b-9e48-3df36b20f0d0
Co-authored-by: Amp <amp@ampcode.com>
This commit is contained in:
Steve Yegge
2025-10-26 22:48:19 -07:00
parent 4ea347e08a
commit 648ecfafe7
21 changed files with 67 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/bd/daemon_lock.go
View File

@@ -45,6 +45,7 @@ func acquireDaemonLock(beadsDir string, dbPath string) (*DaemonLock, error) {
lockPath := filepath.Join(beadsDir, "daemon.lock")
// Open or create the lock file
// #nosec G304 - controlled path from config
f, err := os.OpenFile(lockPath, os.O_CREATE|os.O_RDWR, 0600)
if err != nil {
return nil, fmt.Errorf("cannot open lock file: %w", err)
@@ -88,6 +89,7 @@ func tryDaemonLock(beadsDir string) (running bool, pid int) {
lockPath := filepath.Join(beadsDir, "daemon.lock")
// Open lock file with read-write access (required for LockFileEx on Windows)
// #nosec G304 - controlled path from config
f, err := os.OpenFile(lockPath, os.O_RDWR, 0)
if err != nil {
// No lock file - could be old daemon without lock support
@@ -134,6 +136,7 @@ func tryDaemonLock(beadsDir string) (running bool, pid int) {
func readDaemonLockInfo(beadsDir string) (*DaemonLockInfo, error) {
lockPath := filepath.Join(beadsDir, "daemon.lock")
// #nosec G304 - controlled path from config
data, err := os.ReadFile(lockPath)
if err != nil {
return nil, err
@@ -182,6 +185,7 @@ func validateDaemonLock(beadsDir string, expectedDB string) error {
// This is used for backward compatibility with pre-lock daemons.
func checkPIDFile(beadsDir string) (running bool, pid int) {
pidFile := filepath.Join(beadsDir, "daemon.pid")
// #nosec G304 - controlled path from config
data, err := os.ReadFile(pidFile)
if err != nil {
return false, 0