feat: update go to 1.25, add permissions and envs (#49)

* chore(ci): update go to 1.25, add permissions and envs
* fix(ci): update pr-lint.yml
* chore: update go, fix linting
* fix: tests and linting
* fix(lint): lint fixes, renovate should now pass
* fix: updates, security upgrades
* chore: workflow updates, lint
* fix: more lint, checkmake, and other fixes
* fix: more lint, convert scripts to POSIX compliant
* fix: simplify codeql workflow
* tests: increase test coverage, fix found issues
* fix(lint): editorconfig checking, add to linters
* fix(lint): shellcheck, add to linters
* fix(lint): apply cr comment suggestions
* fix(ci): remove step-security/harden-runner
* fix(lint): remove duplication, apply cr fixes
* fix(ci): tests in CI/CD pipeline
* chore(lint): deduplication of strings
* fix(lint): apply cr comment suggestions
* fix(ci): actionlint
* fix(lint): apply cr comment suggestions
* chore: lint, add deps management

fileproc/yaml_writer.go

@@ -5,9 +5,10 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"strings"
 
-	"github.com/ivuorinen/gibidify/utils"
+	"github.com/ivuorinen/gibidify/gibidiutils"
 )
 
 // YAMLWriter handles YAML format output with streaming support.
@@ -20,11 +21,151 @@ func NewYAMLWriter(outFile *os.File) *YAMLWriter {
 	return &YAMLWriter{outFile: outFile}
 }
 
+const (
+	maxPathLength     = 4096 // Maximum total path length
+	maxFilenameLength = 255  // Maximum individual filename component length
+)
+
+// validatePathComponents validates individual path components for security issues.
+func validatePathComponents(trimmed, cleaned string, components []string) error {
+	for i, component := range components {
+		// Reject path components that are exactly ".." (path traversal)
+		if component == ".." {
+			return gibidiutils.NewStructuredError(
+				gibidiutils.ErrorTypeValidation,
+				gibidiutils.CodeValidationPath,
+				"path traversal not allowed",
+				trimmed,
+				map[string]any{
+					"path":              trimmed,
+					"cleaned":           cleaned,
+					"invalid_component": component,
+					"component_index":   i,
+				},
+			)
+		}
+
+		// Reject empty components (e.g., from "foo//bar")
+		if component == "" && i > 0 && i < len(components)-1 {
+			return gibidiutils.NewStructuredError(
+				gibidiutils.ErrorTypeValidation,
+				gibidiutils.CodeValidationPath,
+				"path contains empty component",
+				trimmed,
+				map[string]any{
+					"path":            trimmed,
+					"cleaned":         cleaned,
+					"component_index": i,
+				},
+			)
+		}
+
+		// Enforce maximum filename length for each component
+		if len(component) > maxFilenameLength {
+			return gibidiutils.NewStructuredError(
+				gibidiutils.ErrorTypeValidation,
+				gibidiutils.CodeValidationPath,
+				"path component exceeds maximum length",
+				trimmed,
+				map[string]any{
+					"component":        component,
+					"component_length": len(component),
+					"max_length":       maxFilenameLength,
+					"component_index":  i,
+				},
+			)
+		}
+	}
+	return nil
+}
+
+// validatePath validates and sanitizes a file path for safe output.
+// It rejects absolute paths, path traversal attempts, empty paths, and overly long paths.
+func validatePath(path string) error {
+	// Reject empty paths
+	trimmed := strings.TrimSpace(path)
+	if trimmed == "" {
+		return gibidiutils.NewStructuredError(
+			gibidiutils.ErrorTypeValidation,
+			gibidiutils.CodeValidationRequired,
+			"file path cannot be empty",
+			"",
+			nil,
+		)
+	}
+
+	// Enforce maximum path length to prevent resource abuse
+	if len(trimmed) > maxPathLength {
+		return gibidiutils.NewStructuredError(
+			gibidiutils.ErrorTypeValidation,
+			gibidiutils.CodeValidationPath,
+			"path exceeds maximum length",
+			trimmed,
+			map[string]any{
+				"path_length": len(trimmed),
+				"max_length":  maxPathLength,
+			},
+		)
+	}
+
+	// Reject absolute paths
+	if filepath.IsAbs(trimmed) {
+		return gibidiutils.NewStructuredError(
+			gibidiutils.ErrorTypeValidation,
+			gibidiutils.CodeValidationPath,
+			"absolute paths are not allowed",
+			trimmed,
+			map[string]any{"path": trimmed},
+		)
+	}
+
+	// Validate original trimmed path components before cleaning
+	origComponents := strings.Split(filepath.ToSlash(trimmed), "/")
+	for _, comp := range origComponents {
+		if comp == "" || comp == "." || comp == ".." {
+			return gibidiutils.NewStructuredError(
+				gibidiutils.ErrorTypeValidation,
+				gibidiutils.CodeValidationPath,
+				"invalid or traversal path component in original path",
+				trimmed,
+				map[string]any{"path": trimmed, "component": comp},
+			)
+		}
+	}
+
+	// Clean the path to normalize it
+	cleaned := filepath.Clean(trimmed)
+
+	// After cleaning, ensure it's still relative and doesn't start with /
+	if filepath.IsAbs(cleaned) || strings.HasPrefix(cleaned, "/") {
+		return gibidiutils.NewStructuredError(
+			gibidiutils.ErrorTypeValidation,
+			gibidiutils.CodeValidationPath,
+			"path must be relative",
+			trimmed,
+			map[string]any{"path": trimmed, "cleaned": cleaned},
+		)
+	}
+
+	// Split into components and validate each one
+	// Use ToSlash to normalize for cross-platform validation
+	components := strings.Split(filepath.ToSlash(cleaned), "/")
+	return validatePathComponents(trimmed, cleaned, components)
+}
+
 // Start writes the YAML header.
 func (w *YAMLWriter) Start(prefix, suffix string) error {
 	// Write YAML header
-	if _, err := fmt.Fprintf(w.outFile, "prefix: %s\nsuffix: %s\nfiles:\n", yamlQuoteString(prefix), yamlQuoteString(suffix)); err != nil {
-		return utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIOWrite, "failed to write YAML header")
+	if _, err := fmt.Fprintf(
+		w.outFile, "prefix: %s\nsuffix: %s\nfiles:\n",
+		gibidiutils.EscapeForYAML(prefix), gibidiutils.EscapeForYAML(suffix),
+	); err != nil {
+		return gibidiutils.WrapError(
+			err,
+			gibidiutils.ErrorTypeIO,
+			gibidiutils.CodeIOWrite,
+			"failed to write YAML header",
+		)
 	}
 	return nil
 }
@@ -44,13 +185,32 @@ func (w *YAMLWriter) Close() error {
 
 // writeStreaming writes a large file as YAML in streaming chunks.
 func (w *YAMLWriter) writeStreaming(req WriteRequest) error {
-	defer w.closeReader(req.Reader, req.Path)
+	// Validate path before using it
+	if err := validatePath(req.Path); err != nil {
+		return err
+	}
+
+	// Check for nil reader
+	if req.Reader == nil {
+		return gibidiutils.WrapError(
+			nil, gibidiutils.ErrorTypeValidation, gibidiutils.CodeValidationRequired,
+			"nil reader in write request",
+		).WithFilePath(req.Path)
+	}
+
+	defer gibidiutils.SafeCloseReader(req.Reader, req.Path)
 
 	language := detectLanguage(req.Path)
 
 	// Write YAML file entry start
-	if _, err := fmt.Fprintf(w.outFile, "  - path: %s\n    language: %s\n    content: |\n", yamlQuoteString(req.Path), language); err != nil {
-		return utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIOWrite, "failed to write YAML file start").WithFilePath(req.Path)
+	if _, err := fmt.Fprintf(
+		w.outFile, "  - path: %s\n    language: %s\n    content: |\n",
+		gibidiutils.EscapeForYAML(req.Path), language,
+	); err != nil {
+		return gibidiutils.WrapError(
+			err, gibidiutils.ErrorTypeIO, gibidiutils.CodeIOWrite,
+			"failed to write YAML file start",
+		).WithFilePath(req.Path)
 	}
 
 	// Stream content with YAML indentation
@@ -59,6 +219,11 @@ func (w *YAMLWriter) writeStreaming(req WriteRequest) error {
 
 // writeInline writes a small file directly as YAML.
 func (w *YAMLWriter) writeInline(req WriteRequest) error {
+	// Validate path before using it
+	if err := validatePath(req.Path); err != nil {
+		return err
+	}
+
 	language := detectLanguage(req.Path)
 	fileData := FileData{
 		Path:     req.Path,
@@ -67,15 +232,24 @@ func (w *YAMLWriter) writeInline(req WriteRequest) error {
 	}
 
 	// Write YAML entry
-	if _, err := fmt.Fprintf(w.outFile, "  - path: %s\n    language: %s\n    content: |\n", yamlQuoteString(fileData.Path), fileData.Language); err != nil {
-		return utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIOWrite, "failed to write YAML entry start").WithFilePath(req.Path)
+	if _, err := fmt.Fprintf(
+		w.outFile, "  - path: %s\n    language: %s\n    content: |\n",
+		gibidiutils.EscapeForYAML(fileData.Path), fileData.Language,
+	); err != nil {
+		return gibidiutils.WrapError(
+			err, gibidiutils.ErrorTypeIO, gibidiutils.CodeIOWrite,
+			"failed to write YAML entry start",
+		).WithFilePath(req.Path)
 	}
 
 	// Write indented content
 	lines := strings.Split(fileData.Content, "\n")
 	for _, line := range lines {
 		if _, err := fmt.Fprintf(w.outFile, "      %s\n", line); err != nil {
-			return utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIOWrite, "failed to write YAML content line").WithFilePath(req.Path)
+			return gibidiutils.WrapError(
+				err, gibidiutils.ErrorTypeIO, gibidiutils.CodeIOWrite,
+				"failed to write YAML content line",
+			).WithFilePath(req.Path)
 		}
 	}
 
@@ -85,43 +259,29 @@ func (w *YAMLWriter) writeInline(req WriteRequest) error {
 // streamYAMLContent streams content with YAML indentation.
 func (w *YAMLWriter) streamYAMLContent(reader io.Reader, path string) error {
 	scanner := bufio.NewScanner(reader)
+	// Increase buffer size to handle long lines (up to 10MB per line)
+	buf := make([]byte, 0, 64*1024)
+	scanner.Buffer(buf, 10*1024*1024)
+
 	for scanner.Scan() {
 		line := scanner.Text()
 		if _, err := fmt.Fprintf(w.outFile, "      %s\n", line); err != nil {
-			return utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIOWrite, "failed to write YAML line").WithFilePath(path)
+			return gibidiutils.WrapError(
+				err, gibidiutils.ErrorTypeIO, gibidiutils.CodeIOWrite,
+				"failed to write YAML line",
+			).WithFilePath(path)
 		}
 	}
 
 	if err := scanner.Err(); err != nil {
-		return utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIORead, "failed to scan YAML content").WithFilePath(path)
+		return gibidiutils.WrapError(
+			err, gibidiutils.ErrorTypeIO, gibidiutils.CodeIOFileRead,
+			"failed to scan YAML content",
+		).WithFilePath(path)
 	}
 	return nil
 }
 
-// closeReader safely closes a reader if it implements io.Closer.
-func (w *YAMLWriter) closeReader(reader io.Reader, path string) {
-	if closer, ok := reader.(io.Closer); ok {
-		if err := closer.Close(); err != nil {
-			utils.LogError(
-				"Failed to close file reader",
-				utils.WrapError(err, utils.ErrorTypeIO, utils.CodeIOClose, "failed to close file reader").WithFilePath(path),
-			)
-		}
-	}
-}
-
-// yamlQuoteString quotes a string for YAML output if needed.
-func yamlQuoteString(s string) string {
-	if s == "" {
-		return `""`
-	}
-	// Simple YAML quoting - use double quotes if string contains special characters
-	if strings.ContainsAny(s, "\n\r\t:\"'\\") {
-		return fmt.Sprintf(`"%s"`, strings.ReplaceAll(s, `"`, `\"`))
-	}
-	return s
-}
-
 // startYAMLWriter handles YAML format output with streaming support.
 func startYAMLWriter(outFile *os.File, writeCh <-chan WriteRequest, done chan<- struct{}, prefix, suffix string) {
 	defer close(done)
@@ -130,19 +290,19 @@ func startYAMLWriter(outFile *os.File, writeCh <-chan WriteRequest, done chan<-
 
 	// Start writing
 	if err := writer.Start(prefix, suffix); err != nil {
-		utils.LogError("Failed to write YAML header", err)
+		gibidiutils.LogError("Failed to write YAML header", err)
 		return
 	}
 
 	// Process files
 	for req := range writeCh {
 		if err := writer.WriteFile(req); err != nil {
-			utils.LogError("Failed to write YAML file", err)
+			gibidiutils.LogError("Failed to write YAML file", err)
 		}
 	}
 
 	// Close writer
 	if err := writer.Close(); err != nil {
-		utils.LogError("Failed to write YAML end", err)
+		gibidiutils.LogError("Failed to write YAML end", err)
 	}
 }