Chore: Enable gosec #140
Chore: Enable gosec #140
Conversation
dsonck92
force-pushed
the
chore/enable-gosec
branch
2 times, most recently
from
a318890
to
5f75152
Compare
dsonck92
force-pushed
the
chore/enable-gosec
branch
from
5f75152
to
1a88449
Compare
| } | ||
| return nil | ||
| } | ||
|
|
||
| func (mt *MailTemplate) getText(path string, variables map[string]string) (string, error) { | ||
| f, err := os.Open(path) | ||
| f, err := templates.FS.Open(path) |
There was a problem hiding this comment.
Please note that this will embed templates. Not sure if it was planned to allow the user to override the templates at some point. But if we talk about cloud native, we might want to bring this into some kind of specialized bucket in the future anyways so it can be edited online. And embed the defaults so it can be populated and/or reset.
But this was the easiest way (other than ignoring) to keep gosec happy. Gosec triggers because you may give .. in this path string, breaking out of the expected "root". One way to fix this is to use path.Join(root, path.Clean(path)) such that it's anchored to root, or the other is to give a virtual FS like done now.
There was a problem hiding this comment.
I agree about having the templates editable only, what about like exposing them to some great headless CMS like "Sanity".
dsonck92
force-pushed
the
chore/enable-gosec
branch
from
1a88449
to
1667c7a
Compare
| port, err := strconv.Atoi(os.Getenv("PORT")) | ||
| if err != nil { | ||
| panic(err) | ||
| } | ||
| config = &Config{ | ||
| Port: port, |
There was a problem hiding this comment.
In go, ports are technically not limited to an int (and beyond go). It's also perfectly valid to say :http or other standardized names. At least I think this is the case, although I never tried it.
dsonck92
force-pushed
the
chore/enable-gosec
branch
from
dbcbf10
to
67ee0ff
Compare
dsonck92
force-pushed
the
chore/enable-gosec
branch
from
67ee0ff
to
d9d449b
Compare
There was a problem hiding this comment.
@loboda4450 we still let something slip through 😅
There was a problem hiding this comment.
eh, that's embarrassing....
dsonck92
requested review from
bouassaba and
loboda4450
and removed request for
bouassaba
Enable the gosec linter to get security related mistakes. It can be a bit prone to false positives, but at least will give us the opportunity to think about our choices.