fix(lint): use explicit safe type conversions for gosec

Use separate variables with explicit else branches to make type conversions safe and satisfy gosec integer overflow checks.
2025-11-07 09:37:53 +01:00
parent e673fcae6f
commit 31e8ca7ce9
6 changed files with 35 additions and 14 deletions
--- a/ci/runner/Dockerfile
+++ b/ci/runner/Dockerfile
--- a/cmd/audit-service/audit_service_fx.go
+++ b/cmd/audit-service/audit_service_fx.go
@@ -277,12 +277,15 @@ func (s *auditServerImpl) Query(ctx context.Context, req *auditv1.QueryRequest)
 	}
 	total := len(protoEntries)
 	var totalInt32 int32
 	if total > math.MaxInt32 {
-		total = math.MaxInt32
+		totalInt32 = math.MaxInt32
 	} else {
 		totalInt32 = int32(total)
 	}
 	return &auditv1.QueryResponse{
 		Entries: protoEntries,
-		Total:   int32(total),
+		Total:   totalInt32,
 	}, nil
 }
--- a/cmd/identity-service/identity_service_fx.go
+++ b/cmd/identity-service/identity_service_fx.go
@@ -77,7 +77,13 @@ func verifyPassword(password, hash string) (bool, error) {
 	if hashLen < 0 || hashLen > math.MaxUint32 {
 		return false, fmt.Errorf("invalid hash length: %d", hashLen)
 	}
-	actualHash := argon2.IDKey([]byte(password), salt, 3, 64*1024, 4, uint32(hashLen))
+	var hashLenUint32 uint32
 	if hashLen > math.MaxUint32 {
 		hashLenUint32 = math.MaxUint32
 	} else {
 		hashLenUint32 = uint32(hashLen)
 	}
 	actualHash := argon2.IDKey([]byte(password), salt, 3, 64*1024, 4, hashLenUint32)
 	return subtle.ConstantTimeCompare(expectedHash, actualHash) == 1, nil
 }
--- a/internal/client/grpc/audit_client.go
+++ b/internal/client/grpc/audit_client.go
@@ -87,17 +87,20 @@ func (c *AuditClient) Query(ctx context.Context, filters *services.AuditLogFilte
 		return nil, err
 	}
-	limit := filters.Limit
+	var limitInt32, offsetInt32 int32
-	if limit > math.MaxInt32 {
+	if filters.Limit > math.MaxInt32 {
-		limit = math.MaxInt32
+		limitInt32 = math.MaxInt32
 	} else {
 		limitInt32 = int32(filters.Limit)
 	}
-	offset := filters.Offset
+	if filters.Offset > math.MaxInt32 {
-	if offset > math.MaxInt32 {
+		offsetInt32 = math.MaxInt32
-		offset = math.MaxInt32
+	} else {
 		offsetInt32 = int32(filters.Offset)
 	}
 	req := &auditv1.QueryRequest{
-		Limit:  int32(limit),
+		Limit:  limitInt32,
-		Offset: int32(offset),
+		Offset: offsetInt32,
 	}
 	if filters.UserID != nil {
--- a/services/audit/internal/api/server.go
+++ b/services/audit/internal/api/server.go
@@ -120,11 +120,14 @@ func (s *Server) Query(ctx context.Context, req *auditv1.QueryRequest) (*auditv1
 	}
 	total := len(protoEntries)
 	var totalInt32 int32
 	if total > math.MaxInt32 {
-		total = math.MaxInt32
+		totalInt32 = math.MaxInt32
 	} else {
 		totalInt32 = int32(total)
 	}
 	return &auditv1.QueryResponse{
 		Entries: protoEntries,
-		Total:   int32(total), // Note: This is a simplified total, actual total would require a count query
+		Total:   totalInt32, // Note: This is a simplified total, actual total would require a count query
 	}, nil
 }
--- a/services/identity/internal/password/password.go
+++ b/services/identity/internal/password/password.go
@@ -82,7 +82,13 @@ func Verify(password, hash string) (bool, error) {
 	if hashLen < 0 || hashLen > math.MaxUint32 {
 		return false, fmt.Errorf("invalid hash length: %d", hashLen)
 	}
-	actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), uint32(hashLen))
+	var hashLenUint32 uint32
 	if hashLen > math.MaxUint32 {
 		hashLenUint32 = math.MaxUint32
 	} else {
 		hashLenUint32 = uint32(hashLen)
 	}
 	actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), hashLenUint32)
 	// Constant-time comparison
 	if subtle.ConstantTimeCompare(expectedHash, actualHash) == 1 {