Skip to content

Fix security vulnerabilities flagged by gosec scanner#75

Merged
canack merged 1 commit into
termkit:mainfrom
atilsensalduz:sec/CWE-78
Feb 26, 2025
Merged

Fix security vulnerabilities flagged by gosec scanner#75
canack merged 1 commit into
termkit:mainfrom
atilsensalduz:sec/CWE-78

Conversation

@atilsensalduz
Copy link
Copy Markdown
Contributor

@atilsensalduz atilsensalduz commented Feb 26, 2025

This PR addresses security vulnerabilities identified by the gosec static analysis tool:

  1. G104 (CWE-703): Unhandled errors in viper.BindEnv() calls

    • Added proper error handling to prevent potential issues with environment variables
    • Severity: LOW, Confidence: HIGH

  2. G204 (CWE-78): Command injection vulnerability in browser.OpenInBrowser()

    • Implemented URL validation and sanitization to prevent potential command injection
    • Added checks to ensure only http/https URLs can be opened
    • Severity: MEDIUM, Confidence: HIGH

image

Note

I'm not sure how should we handle if viper.BindEnv returns error, I set return error but if it's not proper method to handle it, I can change it to the warning

@atilsensalduz
fix: address security warnings from gosec scanner
e183326 
- Handle error returned by viper.BindEnv() to fix G104 (CWE-703)
- Implement URL validation in browser.OpenInBrowser() to prevent command
  injection vulnerability G204 (CWE-78)

Signed-off-by: atilsensalduz <atil.sensalduz@gmail.com>
@canack canack added the improvement To make it better label Feb 26, 2025
canack
canack approved these changes Feb 26, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@canack canack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thank you for improvement 🎸

@canack canack merged commit b683f4d into termkit:main Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@canack canack canack approved these changes

Assignees

@atilsensalduz atilsensalduz

Labels

improvement To make it better

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@atilsensalduz @canack