From 2e22c25ac9fa0096e7c8ee8fd7373c81b1c3ff74 Mon Sep 17 00:00:00 2001 From: Patrick D'appollonio <930925+patrickdappollonio@users.noreply.github.com> Date: Sun, 22 Mar 2026 20:39:20 -0400 Subject: [PATCH 1/5] Add MIME type mappings for mobile app package formats (.apk, .xapk, .aab, .ipa) --- internal/ctype/ctypes.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/internal/ctype/ctypes.go b/internal/ctype/ctypes.go index e78b767..0397aff 100644 --- a/internal/ctype/ctypes.go +++ b/internal/ctype/ctypes.go @@ -155,6 +155,12 @@ var ctypes = []struct { {[]string{".z"}, nil, "application/x-compress"}, {[]string{".zlib"}, nil, "application/x-zlib"}, + // Mobile/App Package Formats + {[]string{".apk"}, nil, "application/vnd.android.package-archive"}, // Android Package + {[]string{".xapk"}, nil, "application/vnd.android.package-archive"}, // Compressed APK + {[]string{".aab"}, nil, "application/x-authorware-bin"}, // Android App Bundle + {[]string{".ipa"}, nil, "application/octet-stream"}, // iOS App Package + // Configuration and Dependency Files {nil, []string{"Dockerfile"}, "text/x-dockerfile"}, {nil, []string{"Gemfile"}, "text/plain"}, From 2fa06487e9f42e266eeac59a814a3762c5b53fbe Mon Sep 17 00:00:00 2001 From: Patrick D'appollonio <930925+patrickdappollonio@users.noreply.github.com> Date: Sun, 22 Mar 2026 20:42:05 -0400 Subject: [PATCH 2/5] Exclude gosec G703 and G705 rules incompatible with file server --- .golangci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.golangci.yaml b/.golangci.yaml index 094ed2d..5456ece 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -86,6 +86,8 @@ linters: excludes: - G401 - G505 + - G703 + - G705 confidence: medium ireturn: allow: From b0a0de8714d2eb0153c31253a7e520eb22904354 Mon Sep 17 00:00:00 2001 From: Patrick D'appollonio <930925+patrickdappollonio@users.noreply.github.com> Date: Sun, 22 Mar 2026 20:44:06 -0400 Subject: [PATCH 3/5] Add nolint:gosec annotations for G703/G705 false positives in handlers --- internal/server/handlers.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/internal/server/handlers.go b/internal/server/handlers.go index 7949c38..394cf61 100644 --- a/internal/server/handlers.go +++ b/internal/server/handlers.go @@ -40,7 +40,7 @@ func (s *Server) showOrRender(w http.ResponseWriter, r *http.Request) { } // Stat the current path - info, err := os.Stat(currentPath) + info, err := os.Stat(currentPath) //nolint:gosec // path is sanitized via filepath.Abs and constrained to the serving root if err != nil { // If the path doesn't exist, return the 404 error but also print in the log // of the app the full path to the given location @@ -156,7 +156,7 @@ func (s *Server) walk(requestedPath string, w http.ResponseWriter, r *http.Reque // file exists, if so, return it instead for _, index := range []string{"index.html", "index.htm"} { indexPath := filepath.Join(requestedPath, index) - if _, err := os.Stat(indexPath); err == nil { + if _, err := os.Stat(indexPath); err == nil { //nolint:gosec // index filename is hardcoded, not user-controlled s.serveFile(0, indexPath, w, r) return } @@ -170,7 +170,7 @@ func (s *Server) walk(requestedPath string, w http.ResponseWriter, r *http.Reque } // Open the directory path and read all files - dir, err := os.Open(requestedPath) + dir, err := os.Open(requestedPath) //nolint:gosec // file server: serving user-requested paths is the core purpose if err != nil { // If the directory doesn't exist, render an appropriate message if os.IsNotExist(err) { @@ -392,7 +392,7 @@ func (s *Server) healthCheck(w http.ResponseWriter, _ *http.Request) { // httpErrorf writes an error message to the response writer. func httpErrorf(statusCode int, w http.ResponseWriter, format string, args ...any) { w.WriteHeader(statusCode) - fmt.Fprintf(w, format, args...) + fmt.Fprintf(w, format, args...) //nolint:gosec // error messages are controlled strings, not user input } // getParentURL returns the parent URL for the given location. From 7d9fcd7c892bcffa0f2d1ff6a25d92b1e1999e09 Mon Sep 17 00:00:00 2001 From: Patrick D'appollonio <930925+patrickdappollonio@users.noreply.github.com> Date: Sun, 22 Mar 2026 22:12:20 -0400 Subject: [PATCH 4/5] Revert gosec G703/G705 exclusions from golangci config The nolint annotations on individual lines handle these false positives instead of blanket-excluding the rules project-wide. --- .golangci.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index 5456ece..094ed2d 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -86,8 +86,6 @@ linters: excludes: - G401 - G505 - - G703 - - G705 confidence: medium ireturn: allow: From 7cda37637768b9efe602aa93075df06697253554 Mon Sep 17 00:00:00 2001 From: Patrick D'appollonio <930925+patrickdappollonio@users.noreply.github.com> Date: Sun, 22 Mar 2026 23:50:35 -0400 Subject: [PATCH 5/5] Add nolint:gosec annotations for remaining G703 false positives The os.Open calls in serveFile and renderMarkdownFile operate on paths derived from the serving root, not raw user input. --- internal/server/handlers.go | 2 +- internal/server/markdown.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/internal/server/handlers.go b/internal/server/handlers.go index 394cf61..cbc1ec6 100644 --- a/internal/server/handlers.go +++ b/internal/server/handlers.go @@ -297,7 +297,7 @@ func (s *statusCodeHijacker) WriteHeader(code int) { // If the status code is not 0, the status code provided will be used // when serving the file in the given path. func (s *Server) serveFile(statusCode int, location string, w http.ResponseWriter, r *http.Request) { - f, err := os.Open(location) + f, err := os.Open(location) //nolint:gosec // file server: location is derived from the serving root, not raw user input if err != nil { if os.IsNotExist(err) { httpErrorf(http.StatusNotFound, w, "404 not found") diff --git a/internal/server/markdown.go b/internal/server/markdown.go index bea479a..db488c9 100644 --- a/internal/server/markdown.go +++ b/internal/server/markdown.go @@ -25,7 +25,7 @@ var allowedIndexFiles = []string{"README.md", "README.markdown", "readme.md", "r // renderMarkdownFile renders a markdown file from a given location func (s *Server) renderMarkdownFile(location string, v *bytes.Buffer) error { // Generate a full path then open the file - f, err := os.Open(location) + f, err := os.Open(location) //nolint:gosec // file server: location is constructed from the serving root directory if err != nil { return fmt.Errorf("unable to open markdown file %q: %w", location, err) }