Fix gosec warnings: tighten file permissions and add exclusions (bd-b47c034e)

2025-11-02 15:38:55 -08:00
parent 334ef713b7
commit 94fc772139
5 changed files with 13 additions and 8 deletions
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -38,6 +38,11 @@ linters:
        linters:
          - gosec
        text: "G304"
      # G306: File permissions 0644 in tests are acceptable (test fixtures)
      - path: '_test\.go'
        linters:
          - gosec
        text: "G306"
      # G304: Safe file reads from known JSONL and error paths
      - path: 'cmd/bd/autoflush\.go|internal/daemon/discovery\.go|internal/daemonrunner/sync\.go'
        linters:
--- a/cmd/bd/autoflush.go
+++ b/cmd/bd/autoflush.go
@@ -46,7 +46,7 @@ func findJSONLPath() string {
 	// Ensure the directory exists (important for new databases)
 	// This is the only difference from the public API - we create the directory
 	dbDir := filepath.Dir(dbPath)
-	if err := os.MkdirAll(dbDir, 0755); err != nil {
+	if err := os.MkdirAll(dbDir, 0750); err != nil {
 		// If we can't create the directory, return discovered path anyway
 		// (the subsequent write will fail with a clearer error)
 		return jsonlPath
--- a/internal/daemon/registry.go
+++ b/internal/daemon/registry.go
@@ -34,7 +34,7 @@ func NewRegistry() (*Registry, error) {
 	}
 	beadsDir := filepath.Join(home, ".beads")
-	if err := os.MkdirAll(beadsDir, 0755); err != nil {
+	if err := os.MkdirAll(beadsDir, 0750); err != nil {
 		return nil, fmt.Errorf("failed to create .beads directory: %w", err)
 	}
--- a/internal/daemonrunner/daemon_test.go
+++ b/internal/daemonrunner/daemon_test.go
@@ -44,10 +44,10 @@ func TestDetermineDatabasePath(t *testing.T) {
 	beadsDir := filepath.Join(tmpDir, ".beads")
 	dbPath := filepath.Join(beadsDir, "beads.db")
-	if err := os.MkdirAll(beadsDir, 0755); err != nil {
+	if err := os.MkdirAll(beadsDir, 0750); err != nil {
 		t.Fatalf("Failed to create beads dir: %v", err)
 	}
-	if err := os.WriteFile(dbPath, []byte("test"), 0644); err != nil {
+	if err := os.WriteFile(dbPath, []byte("test"), 0600); err != nil {
 		t.Fatalf("Failed to create db file: %v", err)
 	}
--- a/internal/types/lock_check_test.go
+++ b/internal/types/lock_check_test.go
@@ -36,7 +36,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)
@@ -69,7 +69,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)
@@ -115,7 +115,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)
@@ -142,7 +142,7 @@ func TestShouldSkipDatabase(t *testing.T) {
 			Version:   "1.0.0",
 		}
 		data, _ := json.Marshal(lock)
-		if err := os.WriteFile(lockPath, data, 0644); err != nil {
+		if err := os.WriteFile(lockPath, data, 0600); err != nil {
 			t.Fatal(err)
 		}
 		defer os.Remove(lockPath)