Fix all gosec security lint violations (#572)

JamieMagee · web-flow · commit abe22fb9f25d · 2026-02-11T17:02:30.000Z
Tighten file/directory permissions, add ReadHeaderTimeout to prevent
Slowloris attacks, cap io.Copy with LimitReader for the flamegraph tar
extraction, and bind the test listener to localhost instead of all
interfaces. Suppress the two unavoidable G304/G107 warnings on
user-provided file paths and test URLs.
diff --git a/cmd/dependabot/internal/cmd/test.go b/cmd/dependabot/internal/cmd/test.go
@@ -85,7 +85,7 @@ var testCmd = NewTestCommand()
 func readSmokeTest(file string) (*model.SmokeTest, []byte, error) {
 	var smokeTest model.SmokeTest
 
-	data, err := os.ReadFile(file)
+	data, err := os.ReadFile(file) //nolint:gosec // file path is provided by the user via CLI flags
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to open smoke test: %w", err)
 	}
diff --git a/cmd/dependabot/internal/cmd/update.go b/cmd/dependabot/internal/cmd/update.go
@@ -285,7 +285,7 @@ func readArguments(cmd *cobra.Command, flags *UpdateFlags) (*model.Input, error)
 func readInputFile(file string) (*model.Input, error) {
 	var input model.Input
 
-	data, err := os.ReadFile(file)
+	data, err := os.ReadFile(file) //nolint:gosec // file path is provided by the user via CLI flags
 	if err != nil {
 		return nil, fmt.Errorf("failed to open input file: %w", err)
 	}
diff --git a/internal/infra/proxy.go b/internal/infra/proxy.go
@@ -69,7 +69,7 @@ func NewProxy(ctx context.Context, cli *client.Client, params *RunParams, nets *
 	}
 	hostCfg.ExtraHosts = append(hostCfg.ExtraHosts, params.ExtraHosts...)
 	if params.CacheDir != "" {
-		_ = os.MkdirAll(params.CacheDir, 0744)
+		_ = os.MkdirAll(params.CacheDir, 0750)
 		cacheDir, _ := filepath.Abs(params.CacheDir)
 		hostCfg.Mounts = append(hostCfg.Mounts, mount.Mount{
 			Type:   mount.TypeBind,
diff --git a/internal/infra/run.go b/internal/infra/run.go
@@ -130,7 +130,7 @@ func Run(params RunParams) error {
 		var err error
 		// Open a file for writing but don't truncate it yet since an error will delete the test.
 		// This is done before the test so if the dir isn't writable it doesn't waste time.
-		outFile, err = os.OpenFile(params.Output, os.O_RDWR|os.O_CREATE, 0666)
+		outFile, err = os.OpenFile(params.Output, os.O_RDWR|os.O_CREATE, 0600)
 		if err != nil {
 			return fmt.Errorf("failed to create output file: %w", err)
 		}
@@ -499,7 +499,7 @@ func getFromContainer(ctx context.Context, cli *client.Client, containerID, srcP
 	defer outFile.Close()
 	tarReader := tar.NewReader(reader)
 	tarReader.Next()
-	_, err = io.Copy(outFile, tarReader)
+	_, err = io.Copy(outFile, io.LimitReader(tarReader, 1<<30)) // 1 GiB limit to prevent decompression bombs
 	if err != nil {
 		log.Printf("Failed copy while getting from container %v: %v\n", srcPath, err)
 	}
diff --git a/internal/infra/run_test.go b/internal/infra/run_test.go
@@ -17,7 +17,7 @@ import (
 )
 
 func Test_checkCredAccess(t *testing.T) {
-	l, err := net.Listen("tcp", ":0")
+	l, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatal("Failed to create listener: ", err.Error())
 	}
diff --git a/internal/server/input.go b/internal/server/input.go
@@ -4,10 +4,12 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
-	"github.com/dependabot/cli/internal/model"
 	"log"
 	"net"
 	"net/http"
+	"time"
+
+	"github.com/dependabot/cli/internal/model"
 )
 
 type credServer struct {
@@ -30,7 +32,7 @@ func (s *credServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 // Input receives configuration via HTTP on the port and returns it decoded
 func Input(listener net.Listener) (*model.Input, error) {
 	handler := &credServer{}
-	srv := &http.Server{Handler: handler}
+	srv := &http.Server{Handler: handler, ReadHeaderTimeout: 10 * time.Second}
 	handler.server = srv
 
 	// printing so the user doesn't think the cli is hanging
diff --git a/internal/server/input_test.go b/internal/server/input_test.go
@@ -36,7 +36,7 @@ func TestInput(t *testing.T) {
 
 	url := fmt.Sprintf("http://%s", l.Addr().String())
 	data := `{"job":{"package-manager":"test"},"credentials":[{"credential":"value"}]}`
-	resp, err := http.Post(url, "application/json", bytes.NewReader([]byte(data)))
+	resp, err := http.Post(url, "application/json", bytes.NewReader([]byte(data))) //nolint:gosec // test code with controlled URL
 	if err != nil {
 		t.Fatal(err.Error())
 	}

Original file line number	Diff line number	Diff line change
`@@ -85,7 +85,7 @@ var testCmd = NewTestCommand()`
`85`	`85`	`func readSmokeTest(file string) (*model.SmokeTest, []byte, error) {`
`86`	`86`	`var smokeTest model.SmokeTest`
`87`	`87`
`88`		`- data, err := os.ReadFile(file)`
	`88`	`+ data, err := os.ReadFile(file) //nolint:gosec // file path is provided by the user via CLI flags`
`89`	`89`	`if err != nil {`
`90`	`90`	`return nil, nil, fmt.Errorf("failed to open smoke test: %w", err)`
`91`	`91`	`}`
Original file line number	Diff line number	Diff line change
`@@ -285,7 +285,7 @@ func readArguments(cmd cobra.Command, flags UpdateFlags) (*model.Input, error)`
`285`	`285`	`func readInputFile(file string) (*model.Input, error) {`
`286`	`286`	`var input model.Input`
`287`	`287`
`288`		`- data, err := os.ReadFile(file)`
	`288`	`+ data, err := os.ReadFile(file) //nolint:gosec // file path is provided by the user via CLI flags`
`289`	`289`	`if err != nil {`
`290`	`290`	`return nil, fmt.Errorf("failed to open input file: %w", err)`
`291`	`291`	`}`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ func NewProxy(ctx context.Context, cli client.Client, params RunParams, nets *`
`69`	`69`	`}`
`70`	`70`	`hostCfg.ExtraHosts = append(hostCfg.ExtraHosts, params.ExtraHosts...)`
`71`	`71`	`if params.CacheDir != "" {`
`72`		`- _ = os.MkdirAll(params.CacheDir, 0744)`
	`72`	`+ _ = os.MkdirAll(params.CacheDir, 0750)`
`73`	`73`	`cacheDir, _ := filepath.Abs(params.CacheDir)`
`74`	`74`	`hostCfg.Mounts = append(hostCfg.Mounts, mount.Mount{`
`75`	`75`	`Type: mount.TypeBind,`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ import (`
`17`	`17`	`)`
`18`	`18`
`19`	`19`	`func Test_checkCredAccess(t *testing.T) {`
`20`		`- l, err := net.Listen("tcp", ":0")`
	`20`	`+ l, err := net.Listen("tcp", "127.0.0.1:0")`
`21`	`21`	`if err != nil {`
`22`	`22`	`t.Fatal("Failed to create listener: ", err.Error())`
`23`	`23`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ func TestInput(t *testing.T) {`
`36`	`36`
`37`	`37`	`url := fmt.Sprintf("http://%s", l.Addr().String())`
`38`	`38`	data := `{"job":{"package-manager":"test"},"credentials":[{"credential":"value"}]}`
`39`		`- resp, err := http.Post(url, "application/json", bytes.NewReader([]byte(data)))`
	`39`	`+ resp, err := http.Post(url, "application/json", bytes.NewReader([]byte(data))) //nolint:gosec // test code with controlled URL`
`40`	`40`	`if err != nil {`
`41`	`41`	`t.Fatal(err.Error())`
`42`	`42`	`}`