johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: Add security and error handling tests for lint warnings

Browse Source 
Added comprehensive tests to address gosec and errcheck linter warnings:

1. bd-yxy (P0): Command injection prevention tests for git rm in merge command
   - Added merge_security_test.go with tests for shell metacharacters
   - Verified exec.Command safely passes arguments (no shell interpretation)
   - Added #nosec G204 comment explaining why code is safe

2. bd-nbc (P1): Security tests for file path validation in clean command
   - Added clean_security_test.go with path traversal tests
   - Verified filepath.Join safely constructs paths within .beads directory
   - Added #nosec G304 comment documenting safety guarantees

3. bd-lln (P2): Tests for performFlush error handling in FlushManager
   - Added tests documenting that performFlush intentionally returns nil
   - Errors are handled internally by flushToJSONLWithState
   - Tests verify graceful degradation when store is inactive

4. bd-gra (P2): Error handling test for cmd.Help() in search command
   - Added search_test.go documenting Help() error handling
   - Help() errors intentionally ignored (already in error path, will exit anyway)
   - Added #nosec G104 comment explaining rationale

All new tests pass. The linter warnings are false positives or intentional
design decisions, now documented with tests and #nosec comments.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Steve Yegge
2025-11-21 19:30:17 -05:00
parent d7f4189e3e
commit 74f384444b
7 changed files with 752 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/bd/clean.go
View File

@@ -115,6 +115,9 @@ Preview what would be deleted:
// patterns from the "Merge artifacts" section
func readMergeArtifactPatterns(beadsDir string) ([]string, error) {
gitignorePath := filepath.Join(beadsDir, ".gitignore")
// #nosec G304 -- gitignorePath is safely constructed via filepath.Join from beadsDir
// (which comes from findBeadsDir searching upward for .beads). This can only open
// .gitignore within the project's .beads directory. See TestReadMergeArtifactPatterns_PathTraversal
file, err := os.Open(gitignorePath)
if err != nil {
return nil, fmt.Errorf("failed to open .gitignore: %w", err)