From 31e8ca7ce9063de716225bf761d5a9c1549cbd02 Mon Sep 17 00:00:00 2001 From: 0x1d Date: Fri, 7 Nov 2025 09:37:53 +0100 Subject: [PATCH] fix(lint): use explicit safe type conversions for gosec Use separate variables with explicit else branches to make type conversions safe and satisfy gosec integer overflow checks. --- ci/runner/Dockerfile | 0 cmd/audit-service/audit_service_fx.go | 7 +++++-- cmd/identity-service/identity_service_fx.go | 8 +++++++- internal/client/grpc/audit_client.go | 19 +++++++++++-------- services/audit/internal/api/server.go | 7 +++++-- .../identity/internal/password/password.go | 8 +++++++- 6 files changed, 35 insertions(+), 14 deletions(-) create mode 100644 ci/runner/Dockerfile diff --git a/ci/runner/Dockerfile b/ci/runner/Dockerfile new file mode 100644 index 0000000..e69de29 diff --git a/cmd/audit-service/audit_service_fx.go b/cmd/audit-service/audit_service_fx.go index b73833c..fdb13a1 100644 --- a/cmd/audit-service/audit_service_fx.go +++ b/cmd/audit-service/audit_service_fx.go @@ -277,12 +277,15 @@ func (s *auditServerImpl) Query(ctx context.Context, req *auditv1.QueryRequest) } total := len(protoEntries) + var totalInt32 int32 if total > math.MaxInt32 { - total = math.MaxInt32 + totalInt32 = math.MaxInt32 + } else { + totalInt32 = int32(total) } return &auditv1.QueryResponse{ Entries: protoEntries, - Total: int32(total), + Total: totalInt32, }, nil } diff --git a/cmd/identity-service/identity_service_fx.go b/cmd/identity-service/identity_service_fx.go index 9f48cc0..5fbcfe6 100644 --- a/cmd/identity-service/identity_service_fx.go +++ b/cmd/identity-service/identity_service_fx.go @@ -77,7 +77,13 @@ func verifyPassword(password, hash string) (bool, error) { if hashLen < 0 || hashLen > math.MaxUint32 { return false, fmt.Errorf("invalid hash length: %d", hashLen) } - actualHash := argon2.IDKey([]byte(password), salt, 3, 64*1024, 4, uint32(hashLen)) + var hashLenUint32 uint32 + if hashLen > math.MaxUint32 { + hashLenUint32 = math.MaxUint32 + } else { + hashLenUint32 = uint32(hashLen) + } + actualHash := argon2.IDKey([]byte(password), salt, 3, 64*1024, 4, hashLenUint32) return subtle.ConstantTimeCompare(expectedHash, actualHash) == 1, nil } diff --git a/internal/client/grpc/audit_client.go b/internal/client/grpc/audit_client.go index 7bc5f0c..c48d00a 100644 --- a/internal/client/grpc/audit_client.go +++ b/internal/client/grpc/audit_client.go @@ -87,17 +87,20 @@ func (c *AuditClient) Query(ctx context.Context, filters *services.AuditLogFilte return nil, err } - limit := filters.Limit - if limit > math.MaxInt32 { - limit = math.MaxInt32 + var limitInt32, offsetInt32 int32 + if filters.Limit > math.MaxInt32 { + limitInt32 = math.MaxInt32 + } else { + limitInt32 = int32(filters.Limit) } - offset := filters.Offset - if offset > math.MaxInt32 { - offset = math.MaxInt32 + if filters.Offset > math.MaxInt32 { + offsetInt32 = math.MaxInt32 + } else { + offsetInt32 = int32(filters.Offset) } req := &auditv1.QueryRequest{ - Limit: int32(limit), - Offset: int32(offset), + Limit: limitInt32, + Offset: offsetInt32, } if filters.UserID != nil { diff --git a/services/audit/internal/api/server.go b/services/audit/internal/api/server.go index 396f5f7..7fa34a2 100644 --- a/services/audit/internal/api/server.go +++ b/services/audit/internal/api/server.go @@ -120,11 +120,14 @@ func (s *Server) Query(ctx context.Context, req *auditv1.QueryRequest) (*auditv1 } total := len(protoEntries) + var totalInt32 int32 if total > math.MaxInt32 { - total = math.MaxInt32 + totalInt32 = math.MaxInt32 + } else { + totalInt32 = int32(total) } return &auditv1.QueryResponse{ Entries: protoEntries, - Total: int32(total), // Note: This is a simplified total, actual total would require a count query + Total: totalInt32, // Note: This is a simplified total, actual total would require a count query }, nil } diff --git a/services/identity/internal/password/password.go b/services/identity/internal/password/password.go index 81b51aa..2596608 100644 --- a/services/identity/internal/password/password.go +++ b/services/identity/internal/password/password.go @@ -82,7 +82,13 @@ func Verify(password, hash string) (bool, error) { if hashLen < 0 || hashLen > math.MaxUint32 { return false, fmt.Errorf("invalid hash length: %d", hashLen) } - actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), uint32(hashLen)) + var hashLenUint32 uint32 + if hashLen > math.MaxUint32 { + hashLenUint32 = math.MaxUint32 + } else { + hashLenUint32 = uint32(hashLen) + } + actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), hashLenUint32) // Constant-time comparison if subtle.ConstantTimeCompare(expectedHash, actualHash) == 1 {