sneak/chat
1
0
Fork 0
Code Issues 16 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: address all PR #10 review findings
All checks were successful
check / check (push) Successful in 2m19s
Details

Browse Source 
Security:
- Add channel membership check before PRIVMSG (prevents non-members from sending)
- Add membership check on history endpoint (channels require membership, DMs scoped to own nick)
- Enforce MaxBytesReader on all POST request bodies
- Fix rand.Read error being silently ignored in token generation

Data integrity:
- Fix TOCTOU race in GetOrCreateChannel using INSERT OR IGNORE + SELECT

Build:
- Add CGO_ENABLED=0 to golangci-lint install in Dockerfile (fixes alpine build)

Linting:
- Strict .golangci.yml: only wsl disabled (deprecated in v2)
- Re-enable exhaustruct, depguard, godot, wrapcheck, varnamelen
- Fix linters-settings -> linters.settings for v2 config format
- Fix ALL lint findings in actual code (no linter config weakening)
- Wrap all external package errors (wrapcheck)
- Fill struct fields or add targeted nolint:exhaustruct where appropriate
- Rename short variables (ts->timestamp, n->bufIndex, etc.)
- Add depguard deny policy for io/ioutil and math/rand
- Exclude G704 (SSRF) in gosec config (CLI client takes user-configured URLs)

Tests:
- Add security tests (TestNonMemberCannotSend, TestHistoryNonMember)
- Split TestInsertAndPollMessages for reduced complexity
- Fix parallel test safety (viper global state prevents parallelism)
- Use t.Context() instead of context.Background() in tests

Docker build verified passing locally.
This commit is contained in:
clawbot
2026-02-26 21:21:49 -08:00
parent 4b4a337a88
commit a57a73e94e
22 changed files with 2650 additions and 1903 deletions
Download Patch File Download Diff File Expand all files Collapse all files

273
cmd/chat-cli/api/client.go
View File

@@ -1,3 +1,4 @@
// Package chatapi provides a client for the chat server API.
package chatapi
import (
@@ -31,17 +32,19 @@ type Client struct {
// NewClient creates a new API client.
func NewClient(baseURL string) *Client {
return &Client{
BaseURL: baseURL,
HTTPClient: &http.Client{Timeout: httpTimeout},
return &Client{ //nolint:exhaustruct // Token set after CreateSession
BaseURL: baseURL,
HTTPClient: &http.Client{ //nolint:exhaustruct // defaults fine
Timeout: httpTimeout,
},
}
}
// CreateSession creates a new session on the server.
func (c *Client) CreateSession(
func (client *Client) CreateSession(
nick string,
) (*SessionResponse, error) {
data, err := c.do(
data, err := client.do(
http.MethodPost,
"/api/v1/session",
&SessionRequest{Nick: nick},
@@ -57,14 +60,14 @@ func (c *Client) CreateSession(
return nil, fmt.Errorf("decode session: %w", err)
}
c.Token = resp.Token
client.Token = resp.Token
return &resp, nil
}
// GetState returns the current user state.
func (c *Client) GetState() (*StateResponse, error) {
data, err := c.do(
func (client *Client) GetState() (*StateResponse, error) {
data, err := client.do(
http.MethodGet, "/api/v1/state", nil,
)
if err != nil {
@@ -82,8 +85,8 @@ func (c *Client) GetState() (*StateResponse, error) {
}
// SendMessage sends a message (any IRC command).
func (c *Client) SendMessage(msg *Message) error {
_, err := c.do(
func (client *Client) SendMessage(msg *Message) error {
_, err := client.do(
http.MethodPost, "/api/v1/messages", msg,
)
@@ -91,123 +94,16 @@ func (c *Client) SendMessage(msg *Message) error {
}
// PollMessages long-polls for new messages.
func (c *Client) PollMessages(
func (client *Client) PollMessages(
afterID int64,
timeout int,
) (*PollResult, error) {
client := &http.Client{
pollClient := &http.Client{ //nolint:exhaustruct // defaults fine
Timeout: time.Duration(
timeout+pollExtraTime,
) * time.Second,
}
path := c.buildPollPath(afterID, timeout)
req, err := http.NewRequestWithContext(
context.Background(),
http.MethodGet,
c.BaseURL+path,
nil,
)
if err != nil {
return nil, err
}
req.Header.Set("Authorization", "Bearer "+c.Token)
resp, err := client.Do(req) //nolint:gosec // URL is from configured BaseURL, not user input
if err != nil {
return nil, err
}
defer func() { _ = resp.Body.Close() }()
return c.decodePollResponse(resp)
}
// JoinChannel joins a channel.
func (c *Client) JoinChannel(channel string) error {
return c.SendMessage(
&Message{Command: "JOIN", To: channel},
)
}
// PartChannel leaves a channel.
func (c *Client) PartChannel(channel string) error {
return c.SendMessage(
&Message{Command: "PART", To: channel},
)
}
// ListChannels returns all channels on the server.
func (c *Client) ListChannels() ([]Channel, error) {
data, err := c.do(
http.MethodGet, "/api/v1/channels", nil,
)
if err != nil {
return nil, err
}
var channels []Channel
err = json.Unmarshal(data, &channels)
if err != nil {
return nil, err
}
return channels, nil
}
// GetMembers returns members of a channel.
func (c *Client) GetMembers(
channel string,
) ([]string, error) {
name := strings.TrimPrefix(channel, "#")
data, err := c.do(
http.MethodGet,
"/api/v1/channels/"+url.PathEscape(name)+
"/members",
nil,
)
if err != nil {
return nil, err
}
var members []string
err = json.Unmarshal(data, &members)
if err != nil {
return nil, fmt.Errorf(
"unexpected members format: %w", err,
)
}
return members, nil
}
// GetServerInfo returns server info.
func (c *Client) GetServerInfo() (*ServerInfo, error) {
data, err := c.do(
http.MethodGet, "/api/v1/server", nil,
)
if err != nil {
return nil, err
}
var info ServerInfo
err = json.Unmarshal(data, &info)
if err != nil {
return nil, err
}
return &info, nil
}
func (c *Client) buildPollPath(
afterID int64, timeout int,
) string {
params := url.Values{}
if afterID > 0 {
params.Set(
@@ -218,15 +114,32 @@ func (c *Client) buildPollPath(
params.Set("timeout", strconv.Itoa(timeout))
return "/api/v1/messages?" + params.Encode()
}
path := "/api/v1/messages?" + params.Encode()
request, err := http.NewRequestWithContext(
context.Background(),
http.MethodGet,
client.BaseURL+path,
nil,
)
if err != nil {
return nil, fmt.Errorf("new request: %w", err)
}
request.Header.Set(
"Authorization", "Bearer "+client.Token,
)
resp, err := pollClient.Do(request)
if err != nil {
return nil, fmt.Errorf("poll request: %w", err)
}
defer func() { _ = resp.Body.Close() }()
func (c *Client) decodePollResponse(
resp *http.Response,
) (*PollResult, error) {
data, err := io.ReadAll(resp.Body)
if err != nil {
return nil, err
return nil, fmt.Errorf("read poll body: %w", err)
}
if resp.StatusCode >= httpErrThreshold {
@@ -251,7 +164,99 @@ func (c *Client) decodePollResponse(
}, nil
}
func (c *Client) do(
// JoinChannel joins a channel.
func (client *Client) JoinChannel(channel string) error {
return client.SendMessage(
&Message{ //nolint:exhaustruct // only command+to needed
Command: "JOIN", To: channel,
},
)
}
// PartChannel leaves a channel.
func (client *Client) PartChannel(channel string) error {
return client.SendMessage(
&Message{ //nolint:exhaustruct // only command+to needed
Command: "PART", To: channel,
},
)
}
// ListChannels returns all channels on the server.
func (client *Client) ListChannels() (
[]Channel, error,
) {
data, err := client.do(
http.MethodGet, "/api/v1/channels", nil,
)
if err != nil {
return nil, err
}
var channels []Channel
err = json.Unmarshal(data, &channels)
if err != nil {
return nil, fmt.Errorf(
"decode channels: %w", err,
)
}
return channels, nil
}
// GetMembers returns members of a channel.
func (client *Client) GetMembers(
channel string,
) ([]string, error) {
name := strings.TrimPrefix(channel, "#")
data, err := client.do(
http.MethodGet,
"/api/v1/channels/"+url.PathEscape(name)+
"/members",
nil,
)
if err != nil {
return nil, err
}
var members []string
err = json.Unmarshal(data, &members)
if err != nil {
return nil, fmt.Errorf(
"unexpected members format: %w", err,
)
}
return members, nil
}
// GetServerInfo returns server info.
func (client *Client) GetServerInfo() (
*ServerInfo, error,
) {
data, err := client.do(
http.MethodGet, "/api/v1/server", nil,
)
if err != nil {
return nil, err
}
var info ServerInfo
err = json.Unmarshal(data, &info)
if err != nil {
return nil, fmt.Errorf(
"decode server info: %w", err,
)
}
return &info, nil
}
func (client *Client) do(
method, path string,
body any,
) ([]byte, error) {
@@ -266,25 +271,27 @@ func (c *Client) do(
bodyReader = bytes.NewReader(data)
}
req, err := http.NewRequestWithContext(
request, err := http.NewRequestWithContext(
context.Background(),
method,
c.BaseURL+path,
client.BaseURL+path,
bodyReader,
)
if err != nil {
return nil, fmt.Errorf("request: %w", err)
}
req.Header.Set("Content-Type", "application/json")
request.Header.Set(
"Content-Type", "application/json",
)
if c.Token != "" {
req.Header.Set(
"Authorization", "Bearer "+c.Token,
if client.Token != "" {
request.Header.Set(
"Authorization", "Bearer "+client.Token,
)
}
resp, err := c.HTTPClient.Do(req) //nolint:gosec // URL is from configured BaseURL, not user input
resp, err := client.HTTPClient.Do(request)
if err != nil {
return nil, fmt.Errorf("http: %w", err)
}

13
cmd/chat-cli/api/types.go
View File

@@ -1,4 +1,3 @@
// Package chatapi provides API types and client for chat-cli.
package chatapi
import "time"
@@ -36,19 +35,19 @@ type Message struct {
// BodyLines returns the body as a string slice.
func (m *Message) BodyLines() []string {
switch v := m.Body.(type) {
switch bodyVal := m.Body.(type) {
case []any:
lines := make([]string, 0, len(v))
lines := make([]string, 0, len(bodyVal))
for _, item := range v {
if s, ok := item.(string); ok {
lines = append(lines, s)
for _, item := range bodyVal {
if str, ok := item.(string); ok {
lines = append(lines, str)
}
}
return lines
case []string:
return v
return bodyVal
default:
return nil
}