Skip to content

Fix gosec findings in internal/history#79

Merged
jacobhuemmer merged 1 commit intomainfrom
fix/gosec-history-perms
Apr 9, 2026
Merged

Fix gosec findings in internal/history#79
jacobhuemmer merged 1 commit intomainfrom
fix/gosec-history-perms

Conversation

@jacobhuemmer
Copy link
Copy Markdown
Collaborator

@jacobhuemmer jacobhuemmer commented Apr 9, 2026

Summary

Resolves the 5 open gosec code-scanning alerts in internal/history/ (all introduced by the v0.12.0 execution-history feature):

# Rule Fix
89, 86 G301 os.MkdirAll perms 0755 → 0750
91, 90 G306 os.WriteFile perms 0644 → 0600
71 G304 loadRecord wraps filename in filepath.Base and annotates #nosec G304; input always comes from os.ReadDir(s.dir) filtered to *.json

Execution history records may contain sensitive parameter values, so user-only perms are the right default.

Test plan

  • go build ./...
  • go test ./internal/history/...
  • CI green

@jacobhuemmer
Tighten history file permissions and harden loadRecord
b4d9046 
Address gosec G301/G306/G304 findings in internal/history/:
- Directories now created with 0o750 (was 0o755)
- Record files and .log.gz archives written with 0o600 (was 0o644)
- loadRecord defensively applies filepath.Base to the input filename
  and is annotated #nosec G304; the filename always originates from
  os.ReadDir(s.dir) filtered to *.json entries.

Execution history may contain sensitive parameter values, so
user-only perms are appropriate.
@jacobhuemmer jacobhuemmer merged commit 795d2d2 into main Apr 9, 2026
5 checks passed
@jacobhuemmer jacobhuemmer deleted the fix/gosec-history-perms branch April 9, 2026 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jacobhuemmer