From c5b81d04b6aa0a27aa5b3501ca8410c147936e59 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Sun, 15 Mar 2026 17:59:43 +0200 Subject: [PATCH] fix(security): suppress gosec false positives G703 and G118 (#136) --- cmd/helpers.go | 1 + ...fail2ban_log_performance_benchmark_test.go | 1 + fail2ban/fail2ban_logs_integration_test.go | 1 + fail2ban/security_utils.go | 22 ++++++++++--------- fail2ban/test_helpers.go | 1 + go.sum | 7 ------ 6 files changed, 16 insertions(+), 17 deletions(-) diff --git a/cmd/helpers.go b/cmd/helpers.go index 2bfe98f..6841406 100644 --- a/cmd/helpers.go +++ b/cmd/helpers.go @@ -28,6 +28,7 @@ func createTimeoutContext(base context.Context, config *Config) (context.Context if config != nil && config.CommandTimeout > 0 { timeout = config.CommandTimeout } + // #nosec G118 -- cancel is returned to callers who are responsible for calling it return context.WithTimeout(base, timeout) } diff --git a/fail2ban/fail2ban_log_performance_benchmark_test.go b/fail2ban/fail2ban_log_performance_benchmark_test.go index bd47757..db442d2 100644 --- a/fail2ban/fail2ban_log_performance_benchmark_test.go +++ b/fail2ban/fail2ban_log_performance_benchmark_test.go @@ -58,6 +58,7 @@ func setupBenchmarkLogEnvironment(b *testing.B, source string) func() { tempDir := b.TempDir() dest := filepath.Join(tempDir, "fail2ban.log") + // #nosec G703 -- dest is constructed from b.TempDir() and a literal string, not user input if err := os.WriteFile(dest, data, 0o600); err != nil { b.Fatalf("failed to create benchmark log file: %v", err) } diff --git a/fail2ban/fail2ban_logs_integration_test.go b/fail2ban/fail2ban_logs_integration_test.go index 6dd4e1e..f48e80b 100644 --- a/fail2ban/fail2ban_logs_integration_test.go +++ b/fail2ban/fail2ban_logs_integration_test.go @@ -418,6 +418,7 @@ func BenchmarkLogParsing(b *testing.B) { if err != nil { b.Fatalf("Failed to read test file: %v", err) } + // #nosec G703 -- mainLog is constructed from b.TempDir() and a literal string, not user input if err := os.WriteFile(mainLog, data, 0600); err != nil { b.Fatalf("Failed to create test log: %v", err) } diff --git a/fail2ban/security_utils.go b/fail2ban/security_utils.go index a63487b..2b4d19e 100644 --- a/fail2ban/security_utils.go +++ b/fail2ban/security_utils.go @@ -57,14 +57,6 @@ func ContainsPathTraversal(input string) bool { // The returned patterns include both production patterns (real attack signatures) // and test sentinels (used exclusively in test fixtures for validation). func GetDangerousCommandPatterns() []string { - // Production patterns: Real command injection and SQL injection signatures - productionPatterns := []string{ - "rm -rf", // Destructive file operations - "drop table", // SQL injection attempts - "'; cat", // Command injection with file reads - "/etc/passwd", "/etc/shadow", // Specific sensitive file access - } - // Test sentinels: Markers used exclusively in test fixtures // These help verify pattern detection logic in tests testSentinels := []string{ @@ -84,6 +76,16 @@ func GetDangerousCommandPatterns() []string { "DANGEROUS_EVAL_FUNCTION", } - // Combine both lists for backward compatibility - return append(productionPatterns, testSentinels...) + // Production patterns: Real command injection and SQL injection signatures + productionPatterns := []string{ + "rm -rf", // Destructive file operations + "drop table", // SQL injection attempts + "'; cat", // Command injection with file reads + "/etc/passwd", "/etc/shadow", // Specific sensitive file access + } + + // Combine both lists for backward compatibility; preallocate to avoid reallocation + combined := make([]string, 0, len(productionPatterns)+len(testSentinels)) + combined = append(combined, productionPatterns...) + return append(combined, testSentinels...) } diff --git a/fail2ban/test_helpers.go b/fail2ban/test_helpers.go index 009cb35..393c570 100644 --- a/fail2ban/test_helpers.go +++ b/fail2ban/test_helpers.go @@ -45,6 +45,7 @@ func setupTestLogEnvironment(t *testing.T, testDataFile string) (cleanup func()) if err != nil { t.Fatalf("Failed to read test file: %v", err) } + // #nosec G703 -- path is constructed from t.TempDir() and a literal string, not user input if err := os.WriteFile(mainLog, data, shared.DefaultFilePermissions); err != nil { t.Fatalf("Failed to create test log: %v", err) } diff --git a/go.sum b/go.sum index defbf2e..700d95d 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,4 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= @@ -11,8 +10,6 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= -github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w= github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g= github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU= @@ -20,16 +17,12 @@ github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiT github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg= -golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k= golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=