diff --git a/cmd/helpers.go b/cmd/helpers.go index a69e18b..6841406 100644 --- a/cmd/helpers.go +++ b/cmd/helpers.go @@ -28,7 +28,8 @@ func createTimeoutContext(base context.Context, config *Config) (context.Context if config != nil && config.CommandTimeout > 0 { timeout = config.CommandTimeout } - return context.WithTimeout(base, timeout) // #nosec G118 -- cancel is returned to callers who are responsible for calling it + // #nosec G118 -- cancel is returned to callers who are responsible for calling it + return context.WithTimeout(base, timeout) } // IsCI detects if we're running in a CI environment diff --git a/fail2ban/fail2ban_log_performance_benchmark_test.go b/fail2ban/fail2ban_log_performance_benchmark_test.go index bd47757..db442d2 100644 --- a/fail2ban/fail2ban_log_performance_benchmark_test.go +++ b/fail2ban/fail2ban_log_performance_benchmark_test.go @@ -58,6 +58,7 @@ func setupBenchmarkLogEnvironment(b *testing.B, source string) func() { tempDir := b.TempDir() dest := filepath.Join(tempDir, "fail2ban.log") + // #nosec G703 -- dest is constructed from b.TempDir() and a literal string, not user input if err := os.WriteFile(dest, data, 0o600); err != nil { b.Fatalf("failed to create benchmark log file: %v", err) } diff --git a/fail2ban/fail2ban_logs_integration_test.go b/fail2ban/fail2ban_logs_integration_test.go index 6dd4e1e..f48e80b 100644 --- a/fail2ban/fail2ban_logs_integration_test.go +++ b/fail2ban/fail2ban_logs_integration_test.go @@ -418,6 +418,7 @@ func BenchmarkLogParsing(b *testing.B) { if err != nil { b.Fatalf("Failed to read test file: %v", err) } + // #nosec G703 -- mainLog is constructed from b.TempDir() and a literal string, not user input if err := os.WriteFile(mainLog, data, 0600); err != nil { b.Fatalf("Failed to create test log: %v", err) } diff --git a/fail2ban/security_utils.go b/fail2ban/security_utils.go index a63487b..2501314 100644 --- a/fail2ban/security_utils.go +++ b/fail2ban/security_utils.go @@ -57,14 +57,6 @@ func ContainsPathTraversal(input string) bool { // The returned patterns include both production patterns (real attack signatures) // and test sentinels (used exclusively in test fixtures for validation). func GetDangerousCommandPatterns() []string { - // Production patterns: Real command injection and SQL injection signatures - productionPatterns := []string{ - "rm -rf", // Destructive file operations - "drop table", // SQL injection attempts - "'; cat", // Command injection with file reads - "/etc/passwd", "/etc/shadow", // Specific sensitive file access - } - // Test sentinels: Markers used exclusively in test fixtures // These help verify pattern detection logic in tests testSentinels := []string{ @@ -84,6 +76,16 @@ func GetDangerousCommandPatterns() []string { "DANGEROUS_EVAL_FUNCTION", } + // Production patterns: Real command injection and SQL injection signatures + // Preallocate with combined capacity to avoid reallocation when appending testSentinels + productionPatterns := make([]string, 0, 5+len(testSentinels)) + productionPatterns = append(productionPatterns, + "rm -rf", // Destructive file operations + "drop table", // SQL injection attempts + "'; cat", // Command injection with file reads + "/etc/passwd", "/etc/shadow", // Specific sensitive file access + ) + // Combine both lists for backward compatibility return append(productionPatterns, testSentinels...) } diff --git a/fail2ban/test_helpers.go b/fail2ban/test_helpers.go index 6607f8d..393c570 100644 --- a/fail2ban/test_helpers.go +++ b/fail2ban/test_helpers.go @@ -45,7 +45,8 @@ func setupTestLogEnvironment(t *testing.T, testDataFile string) (cleanup func()) if err != nil { t.Fatalf("Failed to read test file: %v", err) } - if err := os.WriteFile(mainLog, data, shared.DefaultFilePermissions); err != nil { // #nosec G703 -- path is constructed from t.TempDir() and a literal string, not user input + // #nosec G703 -- path is constructed from t.TempDir() and a literal string, not user input + if err := os.WriteFile(mainLog, data, shared.DefaultFilePermissions); err != nil { t.Fatalf("Failed to create test log: %v", err) }