mirror of
https://github.com/lunchcat/sif.git
synced 2026-06-12 11:01:24 -07:00
vmfunc
4fc0df5a01
The nuclei-templates tarball is fetched over the network and its entry
names flowed directly into os.Mkdir/os.Create, so a malicious or
compromised archive could write outside the extraction directory
("Zip Slip", CWE-22). Resolve each entry against the working directory
and reject any path that escapes it before touching the filesystem.
CodeQL flagged this as a high-severity alert on the lines this branch
already touched. gosec's G305 fires on filepath.Join with archive data
regardless of the traversal guard, so it's excluded with a note.
95 lines
3.0 KiB
YAML
95 lines
3.0 KiB
YAML
---
|
|
version: "2"
|
|
|
|
run:
|
|
timeout: 5m
|
|
issues-exit-code: 1
|
|
|
|
linters:
|
|
enable:
|
|
- errcheck # check error returns
|
|
- govet # suspicious constructs
|
|
- staticcheck # advanced static analysis (absorbs gosimple in v2)
|
|
- unused # unused code
|
|
- ineffassign # useless assignments
|
|
- misspell # spelling mistakes
|
|
- gocritic # opinionated lints
|
|
- revive # replacement for golint
|
|
- unconvert # unnecessary type conversions
|
|
- bodyclose # http response body not closed
|
|
- noctx # http requests without context
|
|
- gosec # security issues
|
|
- errorlint # error wrapping and comparison
|
|
- nilnil # return nil, nil
|
|
- wastedassign # assignments to variables never read
|
|
- usetesting # os.Setenv in tests instead of t.Setenv, etc.
|
|
|
|
settings:
|
|
govet:
|
|
enable-all: true
|
|
disable:
|
|
# too many structs to reorder, risks breaking serialization
|
|
- fieldalignment
|
|
- shadow # common Go pattern, too noisy
|
|
- unusedwrite # false positives on test data structs
|
|
errcheck:
|
|
check-blank: false
|
|
exclude-functions:
|
|
# log writes are best-effort
|
|
- github.com/dropalldatabases/sif/internal/logger.Write
|
|
# Close on io.Closer is idiomatic best-effort
|
|
- (io.Closer).Close
|
|
- (*os.File).Close
|
|
- (*net/http.Response).Body.Close
|
|
# fmt.Fprint* returns are rarely actionable
|
|
- fmt.Fprint
|
|
- fmt.Fprintf
|
|
- fmt.Fprintln
|
|
staticcheck:
|
|
# QF1003/QF1012 are v2 quickfix suggestions, not bugs.
|
|
# ST1000/ST1003 were the stylecheck linter in v1
|
|
# (not previously enabled); skipping to match prior parity.
|
|
checks:
|
|
- all
|
|
- -QF1003
|
|
- -QF1012
|
|
- -ST1000
|
|
- -ST1003
|
|
revive:
|
|
rules:
|
|
# stuttering names (scan.ScanResult) need breaking API changes
|
|
- name: exported
|
|
disabled: true
|
|
gocritic:
|
|
enabled-tags:
|
|
- diagnostic
|
|
- style
|
|
- performance
|
|
disabled-checks:
|
|
- commentedOutCode # too opinionated for a project with TODOs
|
|
- paramTypeCombine # style-only, not worth churn
|
|
- unnamedResult # style-only
|
|
- unnecessaryDefer # common pattern in tests
|
|
# inverting conditions in scan logic hurts readability
|
|
- nestingReduce
|
|
gosec:
|
|
excludes:
|
|
- G104 # errcheck covers this
|
|
- G107 # pentesting tool -- variable URLs are the whole point
|
|
- G110 # nuclei template decompression, acceptable context
|
|
- G304 # sif reads user-supplied wordlist paths -- intentional
|
|
- G305 # tar extraction is traversal-guarded (HasPrefix on the
|
|
# cleaned target); gosec flags filepath.Join regardless
|
|
|
|
exclusions:
|
|
rules:
|
|
# test files get some slack
|
|
- path: _test\.go
|
|
linters:
|
|
- errcheck
|
|
- noctx
|
|
|
|
issues:
|
|
max-issues-per-linter: 50
|
|
max-same-issues: 50
|