toolz/goplt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(lint): add bounds checking for integer conversions to fix gosec warnings
All checks were successful
CI / Test (pull_request) Successful in 57s
Details
CI / Lint (pull_request) Successful in 27s
Details
CI / Build (pull_request) Successful in 39s
Details
CI / Format Check (pull_request) Successful in 2s
Details

Browse Source 
- Add bounds checking for Limit and Offset conversions in audit_client.go
- Add bounds checking for t, m, and p conversions in password.go
- Add nolint comments with explanations for safe conversions
This commit is contained in:
0x1d
2025-11-07 10:04:14 +01:00
parent 9712e50f6c
commit 75c5293c8c
3 changed files with 39 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
AGENTS.md
View File

@@ -199,10 +199,9 @@ When working on this project, follow this workflow:
- **ALWAYS commit** after successful implementation - **ALWAYS commit** after successful implementation
- Verify that everything is in order before commit: - Verify that everything is in order before commit:
- there is a Gitea Runner image in ci/pre-commit - there is a Gitea Runner image in ci/pre-commit
- check if we have wirelos/pre-commit locally. if not, build it - run scripts/pre-commit-check.sh
- start the gitea-runner locally and mount the project directory. - Ensure the code builds (`make build`)
- Ensure the code builds (`go build`) - Ensure all tests pass (`make test`)
- Ensure all tests pass (`go test`)
- Ensure there are no linter issues (`make lint`) - Ensure there are no linter issues (`make lint`)
- Ensure there are no fmt issues (`make fmt-check`) - Ensure there are no fmt issues (`make fmt-check`)
- If there are issues, fix them before comitting - If there are issues, fix them before comitting

8
internal/client/grpc/audit_client.go
View File

@@ -90,13 +90,17 @@ func (c *AuditClient) Query(ctx context.Context, filters *services.AuditLogFilte
var limitInt32, offsetInt32 int32 var limitInt32, offsetInt32 int32
if filters.Limit > math.MaxInt32 { if filters.Limit > math.MaxInt32 {
limitInt32 = math.MaxInt32 limitInt32 = math.MaxInt32
} else if filters.Limit < math.MinInt32 {
limitInt32 = math.MinInt32
} else { } else {
limitInt32 = int32(filters.Limit) limitInt32 = int32(filters.Limit) //nolint:gosec // bounds checked above
} }
if filters.Offset > math.MaxInt32 { if filters.Offset > math.MaxInt32 {
offsetInt32 = math.MaxInt32 offsetInt32 = math.MaxInt32
} else if filters.Offset < math.MinInt32 {
offsetInt32 = math.MinInt32
} else { } else {
offsetInt32 = int32(filters.Offset) offsetInt32 = int32(filters.Offset) //nolint:gosec // bounds checked above
} }
req := &auditv1.QueryRequest{ req := &auditv1.QueryRequest{
Limit: limitInt32, Limit: limitInt32,

29
services/identity/internal/password/password.go
View File

@@ -88,7 +88,34 @@ func Verify(password, hash string) (bool, error) {
} else { } else {
hashLenUint32 = uint32(hashLen) hashLenUint32 = uint32(hashLen)
} }
actualHash := argon2.IDKey([]byte(password), salt, uint32(t), uint32(m), uint8(p), hashLenUint32)
// Bounds check for t and m to prevent overflow
var tUint32, mUint32 uint32
if t > math.MaxUint32 {
tUint32 = math.MaxUint32
} else if t < 0 {
tUint32 = 0
} else {
tUint32 = uint32(t) //nolint:gosec // bounds checked above
}
if m > math.MaxUint32 {
mUint32 = math.MaxUint32
} else if m < 0 {
mUint32 = 0
} else {
mUint32 = uint32(m) //nolint:gosec // bounds checked above
}
var pUint8 uint8
if p > math.MaxUint8 {
pUint8 = math.MaxUint8
} else if p < 0 {
pUint8 = 0
} else {
pUint8 = uint8(p)
}
actualHash := argon2.IDKey([]byte(password), salt, tUint32, mUint32, pUint8, hashLenUint32)
// Constant-time comparison // Constant-time comparison
if subtle.ConstantTimeCompare(expectedHash, actualHash) == 1 { if subtle.ConstantTimeCompare(expectedHash, actualHash) == 1 {