refactor: use pinned golangci-lint Docker image for linting

Refactor Dockerfile to use a separate lint stage with a pinned golangci-lint v2.11.3 Docker image instead of installing golangci-lint via curl in the builder stage. This follows the pattern used by sneak/pixa. Changes: - Dockerfile: separate lint stage using golangci/golangci-lint:v2.11.3 (Debian-based, pinned by sha256) with COPY --from=lint dependency - Bump Go from 1.24 to 1.26.1 (golang:1.26.1-bookworm, pinned) - Bump golangci-lint from v1.64.8 to v2.11.3 - Migrate .golangci.yml from v1 to v2 format (same linters, format only) - All Docker images pinned by sha256 digest - Fix all lint issues from the v2 linter upgrade: - Add package comments to all packages - Add doc comments to all exported types, functions, and methods - Fix unchecked errors (errcheck) - Fix unused parameters (revive) - Fix gosec warnings (MaxBytesReader for form parsing) - Fix staticcheck suggestions (fmt.Fprintf instead of WriteString) - Rename DeliveryTask to Task to avoid stutter (delivery.Task) - Rename shadowed builtin 'max' parameter - Update README.md version requirements
2026-03-17 05:46:03 -07:00
parent d771fe14df
commit 32a9170428
59 changed files with 7792 additions and 4282 deletions
--- a/internal/delivery/ssrf_test.go
+++ b/internal/delivery/ssrf_test.go
@@ -1,11 +1,13 @@
-package delivery
+package delivery_test

 import (
+	"context"
 	"net"
 	"testing"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"sneak.berlin/go/webhooker/internal/delivery"
 )

 func TestIsBlockedIP_PrivateRanges(t *testing.T) {
@@ -16,56 +18,52 @@ func TestIsBlockedIP_PrivateRanges(t *testing.T) {
 		ip      string
 		blocked bool
 	}{
-		// Loopback
 		{"loopback 127.0.0.1", "127.0.0.1", true},
 		{"loopback 127.0.0.2", "127.0.0.2", true},
 		{"loopback 127.255.255.255", "127.255.255.255", true},
-
-		// RFC 1918 - Class A
 		{"10.0.0.0", "10.0.0.0", true},
 		{"10.0.0.1", "10.0.0.1", true},
 		{"10.255.255.255", "10.255.255.255", true},
-
-		// RFC 1918 - Class B
 		{"172.16.0.1", "172.16.0.1", true},
 		{"172.31.255.255", "172.31.255.255", true},
 		{"172.15.255.255", "172.15.255.255", false},
 		{"172.32.0.0", "172.32.0.0", false},
-
-		// RFC 1918 - Class C
 		{"192.168.0.1", "192.168.0.1", true},
 		{"192.168.255.255", "192.168.255.255", true},
-
-		// Link-local / cloud metadata
 		{"169.254.0.1", "169.254.0.1", true},
 		{"169.254.169.254", "169.254.169.254", true},
-
-		// Public IPs (should NOT be blocked)
 		{"8.8.8.8", "8.8.8.8", false},
 		{"1.1.1.1", "1.1.1.1", false},
 		{"93.184.216.34", "93.184.216.34", false},
-
-		// IPv6 loopback
 		{"::1", "::1", true},
-
-		// IPv6 unique local
 		{"fd00::1", "fd00::1", true},
 		{"fc00::1", "fc00::1", true},
-
-		// IPv6 link-local
 		{"fe80::1", "fe80::1", true},
-
-		// IPv6 public (should NOT be blocked)
-		{"2607:f8b0:4004:800::200e", "2607:f8b0:4004:800::200e", false},
+		{
+			"2607:f8b0:4004:800::200e",
+			"2607:f8b0:4004:800::200e",
+			false,
+		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
+
 			ip := net.ParseIP(tt.ip)
-			require.NotNil(t, ip, "failed to parse IP %s", tt.ip)
-			assert.Equal(t, tt.blocked, isBlockedIP(ip),
-				"isBlockedIP(%s) = %v, want %v", tt.ip, isBlockedIP(ip), tt.blocked)
+
+			require.NotNil(t, ip,
+				"failed to parse IP %s", tt.ip,
+			)
+
+			assert.Equal(t,
+				tt.blocked,
+				delivery.ExportIsBlockedIP(ip),
+				"isBlockedIP(%s) = %v, want %v",
+				tt.ip,
+				delivery.ExportIsBlockedIP(ip),
+				tt.blocked,
+			)
 		})
 	}
 }
@@ -89,8 +87,14 @@ func TestValidateTargetURL_Blocked(t *testing.T) {
 	for _, u := range blockedURLs {
 		t.Run(u, func(t *testing.T) {
 			t.Parallel()
-			err := ValidateTargetURL(u)
-			assert.Error(t, err, "URL %s should be blocked", u)
+
+			err := delivery.ValidateTargetURL(
+				context.Background(), u,
+			)
+
+			assert.Error(t, err,
+				"URL %s should be blocked", u,
+			)
 		})
 	}
 }
@@ -98,7 +102,6 @@ func TestValidateTargetURL_Blocked(t *testing.T) {
 func TestValidateTargetURL_Allowed(t *testing.T) {
 	t.Parallel()

-	// These are public IPs and should be allowed
 	allowedURLs := []string{
 		"https://example.com/hook",
 		"http://93.184.216.34/webhook",
@@ -108,35 +111,62 @@ func TestValidateTargetURL_Allowed(t *testing.T) {
 	for _, u := range allowedURLs {
 		t.Run(u, func(t *testing.T) {
 			t.Parallel()
-			err := ValidateTargetURL(u)
-			assert.NoError(t, err, "URL %s should be allowed", u)
+
+			err := delivery.ValidateTargetURL(
+				context.Background(), u,
+			)
+
+			assert.NoError(t, err,
+				"URL %s should be allowed", u,
+			)
 		})
 	}
 }

 func TestValidateTargetURL_InvalidScheme(t *testing.T) {
 	t.Parallel()
-	err := ValidateTargetURL("ftp://example.com/hook")
-	assert.Error(t, err)
-	assert.Contains(t, err.Error(), "unsupported URL scheme")
+
+	err := delivery.ValidateTargetURL(
+		context.Background(), "ftp://example.com/hook",
+	)
+
+	require.Error(t, err)
+
+	assert.Contains(t, err.Error(),
+		"unsupported URL scheme",
+	)
 }

 func TestValidateTargetURL_EmptyHost(t *testing.T) {
 	t.Parallel()
-	err := ValidateTargetURL("http:///path")
+
+	err := delivery.ValidateTargetURL(
+		context.Background(), "http:///path",
+	)
+
 	assert.Error(t, err)
 }

 func TestValidateTargetURL_InvalidURL(t *testing.T) {
 	t.Parallel()
-	err := ValidateTargetURL("://invalid")
+
+	err := delivery.ValidateTargetURL(
+		context.Background(), "://invalid",
+	)
+
 	assert.Error(t, err)
 }

 func TestBlockedNetworks_Initialized(t *testing.T) {
 	t.Parallel()
-	assert.NotEmpty(t, blockedNetworks, "blockedNetworks should be initialized")
-	// Should have at least the main RFC 1918 + loopback + link-local ranges
-	assert.GreaterOrEqual(t, len(blockedNetworks), 8,
-		"should have at least 8 blocked network ranges")
+
+	nets := delivery.ExportBlockedNetworks()
+
+	assert.NotEmpty(t, nets,
+		"blockedNetworks should be initialized",
+	)
+
+	assert.GreaterOrEqual(t, len(nets), 8,
+		"should have at least 8 blocked network ranges",
+	)
 }