From abcc7b6c3ae5fbd6c08cce98f65ba4544869a4b1 Mon Sep 17 00:00:00 2001 From: sneak Date: Fri, 20 Jun 2025 09:50:00 -0700 Subject: [PATCH] fix: resolve gosec integer overflow and unconvert issues - Fix G115 integer overflow by converting uint32 to int comparison - Remove unnecessary int() conversions for syscall constants - syscall.Stdin/Stderr/Stdout are already int type --- internal/secret/crypto.go | 6 +++--- internal/secret/debug.go | 2 +- internal/secret/debug_test.go | 2 +- pkg/bip85/bip85.go | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/internal/secret/crypto.go b/internal/secret/crypto.go index 29813cc..d0fc8e4 100644 --- a/internal/secret/crypto.go +++ b/internal/secret/crypto.go @@ -83,19 +83,19 @@ func DecryptWithPassphrase(encryptedData []byte, passphrase string) ([]byte, err // This version is for unlocking and doesn't require confirmation func ReadPassphrase(prompt string) (string, error) { // Check if stdin is a terminal - if !term.IsTerminal(int(syscall.Stdin)) { + if !term.IsTerminal(syscall.Stdin) { // Not a terminal - never read passphrases from piped input for security reasons return "", fmt.Errorf("cannot read passphrase from non-terminal stdin (piped input or script). Please set the SB_UNLOCK_PASSPHRASE environment variable or run interactively") } // stdin is a terminal, check if stderr is also a terminal for interactive prompting - if !term.IsTerminal(int(syscall.Stderr)) { + if !term.IsTerminal(syscall.Stderr) { return "", fmt.Errorf("cannot prompt for passphrase: stderr is not a terminal (running in non-interactive mode). Please set the SB_UNLOCK_PASSPHRASE environment variable") } // Both stdin and stderr are terminals - use secure password reading fmt.Fprint(os.Stderr, prompt) // Write prompt to stderr, not stdout - passphrase, err := term.ReadPassword(int(syscall.Stdin)) + passphrase, err := term.ReadPassword(syscall.Stdin) if err != nil { return "", fmt.Errorf("failed to read passphrase: %w", err) } diff --git a/internal/secret/debug.go b/internal/secret/debug.go index 2aeb948..34f4f77 100644 --- a/internal/secret/debug.go +++ b/internal/secret/debug.go @@ -36,7 +36,7 @@ func InitDebugLogging() { _, _, _ = syscall.Syscall(syscall.SYS_FCNTL, os.Stderr.Fd(), syscall.F_SETFL, syscall.O_SYNC) // Check if STDERR is a TTY - isTTY := term.IsTerminal(int(syscall.Stderr)) + isTTY := term.IsTerminal(syscall.Stderr) var handler slog.Handler if isTTY { diff --git a/internal/secret/debug_test.go b/internal/secret/debug_test.go index 2eb8d1f..4392672 100644 --- a/internal/secret/debug_test.go +++ b/internal/secret/debug_test.go @@ -64,7 +64,7 @@ func TestDebugLogging(t *testing.T) { // Override the debug logger for testing oldLogger := debugLogger - if term.IsTerminal(int(syscall.Stderr)) { + if term.IsTerminal(syscall.Stderr) { // TTY: use colorized handler with our buffer debugLogger = slog.New(newColorizedHandler(&buf)) } else { diff --git a/pkg/bip85/bip85.go b/pkg/bip85/bip85.go index 5a1575c..e8666ec 100644 --- a/pkg/bip85/bip85.go +++ b/pkg/bip85/bip85.go @@ -308,7 +308,7 @@ func DeriveBase64Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3 encodedStr = strings.TrimRight(encodedStr, "=") // Slice to the desired password length - if uint32(len(encodedStr)) < pwdLen { + if len(encodedStr) < int(pwdLen) { return "", fmt.Errorf("derived password length %d is shorter than requested length %d", len(encodedStr), pwdLen) } @@ -332,7 +332,7 @@ func DeriveBase85Password(masterKey *hdkeychain.ExtendedKey, pwdLen, index uint3 encoded := encodeBase85WithRFC1924Charset(entropy) // Slice to the desired password length - if uint32(len(encoded)) < pwdLen { + if len(encoded) < int(pwdLen) { return "", fmt.Errorf("encoded length %d is less than requested length %d", len(encoded), pwdLen) }