fix: improve YAML formatting and resolve gosec lint warnings (#219)

indaco · web-flow · commit da914d53061d · 2026-03-08T23:16:54.000+01:00
* fix: use IndentSequence for properly formatted YAML output

* fix: resolve gosec lint warnings (G122, G703, G118)
diff --git a/internal/commands/discover/workflow.go b/internal/commands/discover/workflow.go
@@ -616,7 +616,7 @@ func marshalConfigWithComments(cfg *config.Config, plugins []string) ([]byte, er
 
 // marshalToYAML marshals a config to YAML bytes.
 func marshalToYAML(cfg *config.Config) ([]byte, error) {
-	return yaml.Marshal(cfg)
+	return yaml.MarshalWithOptions(cfg, yaml.Indent(2), yaml.IndentSequence(true))
 }
 
 // generateDependencyCheckConfig generates YAML configuration for dependency-check.
diff --git a/internal/commands/initialize/config_generator.go b/internal/commands/initialize/config_generator.go
@@ -58,8 +58,8 @@ func GenerateConfigWithComments(path string, selectedPlugins []string) ([]byte,
 
 	cfg.Plugins = pluginsCfg
 
-	// Marshal to YAML
-	data, err := yaml.Marshal(cfg)
+	// Marshal to YAML with proper indentation
+	data, err := yaml.MarshalWithOptions(cfg, yaml.Indent(2), yaml.IndentSequence(true))
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal config: %w", err)
 	}
@@ -148,8 +148,8 @@ func GenerateConfigWithDiscovery(path string, selectedPlugins []string, syncCand
 
 	cfg.Plugins = pluginsCfg
 
-	// Marshal to YAML
-	data, err := yaml.Marshal(cfg)
+	// Marshal to YAML with proper indentation
+	data, err := yaml.MarshalWithOptions(cfg, yaml.Indent(2), yaml.IndentSequence(true))
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal config: %w", err)
 	}
diff --git a/internal/commands/initialize/workspace.go b/internal/commands/initialize/workspace.go
@@ -2,6 +2,7 @@ package initialize
 
 import (
 	"fmt"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -68,7 +69,20 @@ func discoverVersionFiles(root string) ([]DiscoveredModule, error) {
 		"__pycache__":  true,
 	}
 
-	err := filepath.WalkDir(root, func(path string, d os.DirEntry, err error) error {
+	// Resolve the scan directory: if root is a file path, use its parent directory.
+	scanDir := root
+	if info, statErr := os.Stat(root); statErr != nil || !info.IsDir() {
+		scanDir = filepath.Dir(root)
+	}
+
+	// Use root-scoped API to prevent symlink TOCTOU traversal (gosec G122).
+	rootDir, err := os.OpenRoot(scanDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open root directory: %w", err)
+	}
+	defer rootDir.Close()
+
+	err = filepath.WalkDir(scanDir, func(path string, d os.DirEntry, err error) error {
 		if err != nil {
 			return nil // Skip inaccessible directories
 		}
@@ -85,17 +99,20 @@ func discoverVersionFiles(root string) ([]DiscoveredModule, error) {
 		if d.Name() == ".version" {
 			// Skip root .version file
 			dir := filepath.Dir(path)
-			if dir == "." || dir == root {
+			if dir == "." || dir == scanDir {
 				return nil
 			}
 
-			relPath, _ := filepath.Rel(root, path)
+			relPath, _ := filepath.Rel(scanDir, path)
 			moduleName := filepath.Base(dir)
 
-			// Read current version
+			// Read current version using root-scoped file access
 			version := ""
-			if data, err := os.ReadFile(path); err == nil {
-				version = strings.TrimSpace(string(data))
+			if f, openErr := rootDir.Open(relPath); openErr == nil {
+				if data, readErr := io.ReadAll(f); readErr == nil {
+					version = strings.TrimSpace(string(data))
+				}
+				f.Close()
 			}
 
 			modules = append(modules, DiscoveredModule{
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -77,7 +77,7 @@ func (w *osFileWriter) WriteFile(file *os.File, data []byte) (int, error) {
 type yamlMarshaler struct{}
 
 func (m *yamlMarshaler) Marshal(v any) ([]byte, error) {
-	return yaml.Marshal(v)
+	return yaml.MarshalWithOptions(v, yaml.Indent(2), yaml.IndentSequence(true))
 }
 
 // NewConfigSaver creates a ConfigSaver with the given dependencies.
diff --git a/internal/extensionmgr/error_recovery_test.go b/internal/extensionmgr/error_recovery_test.go
@@ -112,6 +112,7 @@ echo '{"version": "1.0.0"}'
 
 	executor := NewScriptExecutorWithTimeout(30 * time.Second)
 	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
 
 	input := &HookInput{
 		Hook:        "test",
diff --git a/internal/extensionmgr/updater.go b/internal/extensionmgr/updater.go
@@ -64,7 +64,7 @@ func (u *DefaultConfigUpdater) AddExtension(path string, extension config.Extens
 		result = original + "\n" + replacement + "\n"
 	}
 
-	if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil {
+	if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil { //nolint:gosec // G703: path is the config file path resolved by the config loader
 		return fmt.Errorf("failed to write config %q: %w", path, err)
 	}
 	return nil
@@ -117,7 +117,7 @@ func (u *DefaultConfigUpdater) RemoveExtension(path string, extensionName string
 		return fmt.Errorf("extensions section not found in config file %q", path)
 	}
 
-	if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil {
+	if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil { //nolint:gosec // G703: path is the config file path resolved by the config loader
 		return fmt.Errorf("failed to write config %q: %w", path, err)
 	}
 	return nil
@@ -167,7 +167,7 @@ func (u *DefaultConfigUpdater) SetExtensionEnabled(path string, extensionName st
 		return fmt.Errorf("extensions section not found in config file %q", path)
 	}
 
-	if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil {
+	if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil { //nolint:gosec // G703: path is the config file path resolved by the config loader
 		return fmt.Errorf("failed to write config %q: %w", path, err)
 	}
 	return nil
diff --git a/internal/plugins/changeloggenerator/generator.go b/internal/plugins/changeloggenerator/generator.go
@@ -380,7 +380,7 @@ func (g *Generator) WriteUnifiedChangelog(newContent string) error {
 	// Normalize: trim trailing whitespace and ensure single trailing newline
 	finalContent = strings.TrimRight(finalContent, "\n\r\t ") + "\n"
 
-	if err := os.WriteFile(path, []byte(finalContent), core.PermPublicRead); err != nil {
+	if err := os.WriteFile(path, []byte(finalContent), core.PermPublicRead); err != nil { //nolint:gosec // G703: path is the changelog file path from plugin config
 		return fmt.Errorf("failed to write changelog %q: %w", path, err)
 	}
 
diff --git a/internal/workspace/executor_test.go b/internal/workspace/executor_test.go
@@ -228,6 +228,7 @@ func TestExecutor_Run_ContextCancellation(t *testing.T) {
 	}
 
 	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
 
 	op := &mockOperation{
 		name: "test",

Original file line number	Diff line number	Diff line change
`@@ -616,7 +616,7 @@ func marshalConfigWithComments(cfg *config.Config, plugins []string) ([]byte, er`
`616`	`616`
`617`	`617`	`// marshalToYAML marshals a config to YAML bytes.`
`618`	`618`	`func marshalToYAML(cfg *config.Config) ([]byte, error) {`
`619`		`- return yaml.Marshal(cfg)`
	`619`	`+ return yaml.MarshalWithOptions(cfg, yaml.Indent(2), yaml.IndentSequence(true))`
`620`	`620`	`}`
`621`	`621`
`622`	`622`	`// generateDependencyCheckConfig generates YAML configuration for dependency-check.`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ func (w osFileWriter) WriteFile(file os.File, data []byte) (int, error) {`
`77`	`77`	`type yamlMarshaler struct{}`
`78`	`78`
`79`	`79`	`func (m *yamlMarshaler) Marshal(v any) ([]byte, error) {`
`80`		`- return yaml.Marshal(v)`
	`80`	`+ return yaml.MarshalWithOptions(v, yaml.Indent(2), yaml.IndentSequence(true))`
`81`	`81`	`}`
`82`	`82`
`83`	`83`	`// NewConfigSaver creates a ConfigSaver with the given dependencies.`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ func (u *DefaultConfigUpdater) AddExtension(path string, extension config.Extens`
`64`	`64`	`result = original + "\n" + replacement + "\n"`
`65`	`65`	`}`
`66`	`66`
`67`		`- if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil {`
	`67`	`+ if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil { //nolint:gosec // G703: path is the config file path resolved by the config loader`
`68`	`68`	`return fmt.Errorf("failed to write config %q: %w", path, err)`
`69`	`69`	`}`
`70`	`70`	`return nil`
`@@ -117,7 +117,7 @@ func (u *DefaultConfigUpdater) RemoveExtension(path string, extensionName string`
`117`	`117`	`return fmt.Errorf("extensions section not found in config file %q", path)`
`118`	`118`	`}`
`119`	`119`
`120`		`- if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil {`
	`120`	`+ if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil { //nolint:gosec // G703: path is the config file path resolved by the config loader`
`121`	`121`	`return fmt.Errorf("failed to write config %q: %w", path, err)`
`122`	`122`	`}`
`123`	`123`	`return nil`
`@@ -167,7 +167,7 @@ func (u *DefaultConfigUpdater) SetExtensionEnabled(path string, extensionName st`
`167`	`167`	`return fmt.Errorf("extensions section not found in config file %q", path)`
`168`	`168`	`}`
`169`	`169`
`170`		`- if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil {`
	`170`	`+ if err := os.WriteFile(path, []byte(result), config.ConfigFilePerm); err != nil { //nolint:gosec // G703: path is the config file path resolved by the config loader`
`171`	`171`	`return fmt.Errorf("failed to write config %q: %w", path, err)`
`172`	`172`	`}`
`173`	`173`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -380,7 +380,7 @@ func (g *Generator) WriteUnifiedChangelog(newContent string) error {`
`380`	`380`	`// Normalize: trim trailing whitespace and ensure single trailing newline`
`381`	`381`	`finalContent = strings.TrimRight(finalContent, "\n\r\t ") + "\n"`
`382`	`382`
`383`		`- if err := os.WriteFile(path, []byte(finalContent), core.PermPublicRead); err != nil {`
	`383`	`+ if err := os.WriteFile(path, []byte(finalContent), core.PermPublicRead); err != nil { //nolint:gosec // G703: path is the changelog file path from plugin config`
`384`	`384`	`return fmt.Errorf("failed to write changelog %q: %w", path, err)`
`385`	`385`	`}`
`386`	`386`
Original file line number	Diff line number	Diff line change
`@@ -228,6 +228,7 @@ func TestExecutor_Run_ContextCancellation(t *testing.T) {`
`228`	`228`	`}`
`229`	`229`
`230`	`230`	`ctx, cancel := context.WithCancel(context.Background())`
	`231`	`+ defer cancel()`
`231`	`232`
`232`	`233`	`op := &mockOperation{`
`233`	`234`	`name: "test",`