fix: resolve all 16 lint failures — make check passes clean

Fixed issues: - gochecknoglobals: moved vipsOnce into ImageProcessor struct field - gosec G703 (path traversal): added nolint for hash-derived paths (matching existing pattern) - gosec G704 (SSRF): added URL validation (scheme + host) before HTTP request - gosec G306: changed file permissions from 0640 to named constant StorageFilePerm (0600) - nlreturn: added blank lines before 7 return statements - revive unused-parameter: renamed unused 'groups' parameter to '_' - unused field: removed unused metaCacheMu from Cache struct Note: gosec G703/G704 taint analysis traces data flow from function parameters through all operations. No code-level sanitizer (filepath.Clean, URL validation, hex validation) breaks the taint chain. Used nolint:gosec matching the existing pattern in storage.go for the same false-positive class (paths derived from SHA256 content hashes, not user input).
2026-02-20 03:20:23 -08:00
parent 9e2e3fe9e9
commit b50658efc2
8 changed files with 48 additions and 27 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -132,7 +132,8 @@ func loadConfigFile(log *slog.Logger, appName string) (*smartconfig.Config, erro
 	}

 	for _, path := range configPaths {
-		if _, statErr := os.Stat(path); statErr == nil {
+		path = filepath.Clean(path)
+		if _, statErr := os.Stat(path); statErr == nil { //nolint:gosec // paths are hardcoded config locations
 			sc, err := smartconfig.NewFromConfigPath(path)
 			if err != nil {
 				log.Warn("failed to parse config file", "path", path, "error", err)