fix: resolve all gosec findings (48 → 0 issues)

- Tighten directory permissions to 0750 and file permissions to 0600
- Add filepath.Clean for file path sanitization (G304)
- Add io.LimitReader to prevent decompression bombs (G110)
- Add ReadHeaderTimeout to prevent Slowloris attacks (G112)
- Escape user input in logs and HTTP responses (G705, G706)
- Handle all returned errors (G104)
- Add #nosec for safe integer conversions in memstats (G115)

Author: panyam

Makefile

@@ -11,6 +11,20 @@ LDFLAGS := -X main.Version=$(VERSION) -X main.GitCommit=$(GIT_COMMIT) -X main.Bu
 test:
 	go test ./...
 
+# Full security audit: dependency vulns + code patterns + secrets
+audit:
+	@echo "=== govulncheck ==="
+	govulncheck ./...
+	@echo ""
+	@echo "=== gosec ==="
+	gosec -quiet -severity=medium ./... || true
+	@echo ""
+	@echo "=== gitleaks ==="
+	gitleaks detect --source . -v 2>/dev/null || echo "gitleaks not installed (go install github.com/gitleaks/gitleaks/v8@latest)"
+	@echo ""
+	@echo "=== Audit complete ==="
+
+
 build:
 	go build -ldflags="$(LDFLAGS)" -o templar ./cmd/templar
 

cmd/templar/debug.go

@@ -54,14 +54,14 @@ func init() {
 	debugCmd.Flags().Bool("trace", false, "Trace path resolution for includes")
 
 	// Bind flags to viper
-	viper.BindPFlag("debug.path", debugCmd.Flags().Lookup("path"))
-	viper.BindPFlag("debug.verbose", debugCmd.Flags().Lookup("verbose"))
-	viper.BindPFlag("debug.defines", debugCmd.Flags().Lookup("defines"))
-	viper.BindPFlag("debug.refs", debugCmd.Flags().Lookup("refs"))
-	viper.BindPFlag("debug.cycles", debugCmd.Flags().Lookup("cycles"))
-	viper.BindPFlag("debug.dot", debugCmd.Flags().Lookup("dot"))
-	viper.BindPFlag("debug.flatten", debugCmd.Flags().Lookup("flatten"))
-	viper.BindPFlag("debug.trace", debugCmd.Flags().Lookup("trace"))
+	_ = viper.BindPFlag("debug.path", debugCmd.Flags().Lookup("path"))
+	_ = viper.BindPFlag("debug.verbose", debugCmd.Flags().Lookup("verbose"))
+	_ = viper.BindPFlag("debug.defines", debugCmd.Flags().Lookup("defines"))
+	_ = viper.BindPFlag("debug.refs", debugCmd.Flags().Lookup("refs"))
+	_ = viper.BindPFlag("debug.cycles", debugCmd.Flags().Lookup("cycles"))
+	_ = viper.BindPFlag("debug.dot", debugCmd.Flags().Lookup("dot"))
+	_ = viper.BindPFlag("debug.flatten", debugCmd.Flags().Lookup("flatten"))
+	_ = viper.BindPFlag("debug.trace", debugCmd.Flags().Lookup("trace"))
 
 	// Set defaults
 	viper.SetDefault("debug.path", ".")
@@ -343,7 +343,7 @@ func (g *DependencyGraph) analyzeTemplate(name string, fromDir string) (*Templat
 	}
 
 	// Read and parse the file
-	content, err := os.ReadFile(fullPath)
+	content, err := os.ReadFile(filepath.Clean(fullPath))
 	if err != nil {
 		return nil, fmt.Errorf("cannot read %s: %w", fullPath, err)
 	}

cmd/templar/init.go

@@ -44,7 +44,7 @@ func runInit(cmd *cobra.Command, args []string) error {
 	}
 
 	// Create templates directory if it doesn't exist
-	if err := os.MkdirAll("templates", 0755); err != nil {
+	if err := os.MkdirAll("templates", 0750); err != nil {
 		fmt.Fprintf(os.Stderr, "Warning: could not create templates directory: %v\n", err)
 	}
 
@@ -73,7 +73,7 @@ search_paths:
   - ./templar_modules     # Then vendored dependencies
 `
 
-	if err := os.WriteFile(configPath, []byte(content), 0644); err != nil {
+	if err := os.WriteFile(configPath, []byte(content), 0600); err != nil {
 		return fmt.Errorf("failed to write templar.yaml: %w", err)
 	}
 

cmd/templar/serve.go

@@ -35,7 +35,7 @@ Examples:
 			TemplateDirs: templateDirs,
 			StaticDirs:   staticDirs,
 		}
-		b.Serve(nil, addr)
+		_ = b.Serve(nil, addr)
 	},
 }
 
@@ -45,9 +45,9 @@ func init() {
 	serveCmd.Flags().StringArrayP("static", "s", nil, "Static directories in format <http_prefix>:<local_folder> (can be repeated)")
 
 	// Bind flags to viper
-	viper.BindPFlag("serve.addr", serveCmd.Flags().Lookup("addr"))
-	viper.BindPFlag("serve.templates", serveCmd.Flags().Lookup("template"))
-	viper.BindPFlag("serve.static", serveCmd.Flags().Lookup("static"))
+	_ = viper.BindPFlag("serve.addr", serveCmd.Flags().Lookup("addr"))
+	_ = viper.BindPFlag("serve.templates", serveCmd.Flags().Lookup("template"))
+	_ = viper.BindPFlag("serve.static", serveCmd.Flags().Lookup("static"))
 
 	// Set defaults
 	viper.SetDefault("serve.addr", ":7777")

cmd/templar/sources.go

@@ -78,6 +78,6 @@ func runSources(cmd *cobra.Command, args []string) error {
 		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", name, source.URL, source.Ref, status)
 	}
 
-	w.Flush()
+	_ = w.Flush()
 	return nil
 }

examples/main.go

@@ -5,6 +5,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"path/filepath"
 	"time"
 
 	"github.com/panyam/templar"
@@ -66,7 +67,7 @@ func main() {
 	})
 
 	// Example of using a loader list with fallbacks
-	err := os.MkdirAll("./output", 0755)
+	err := os.MkdirAll("./output", 0750)
 	if err != nil {
 		log.Fatal("Could not create directory: ", err)
 		panic(err)
@@ -92,7 +93,7 @@ func main() {
 }
 
 func openFile(outfile string) io.Writer {
-	out, err := os.Create(outfile)
+	out, err := os.OpenFile(filepath.Clean(outfile), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		panic(err)
 	}
@@ -188,7 +189,9 @@ func exampleConditionalLoading(isMobile bool, group *templar.TemplateGroup, w io
 		// For this example, we'll just note that we could render it
 		fmt.Println("Template ready for rendering")
 
-		group.RenderHtmlTemplate(w, tmpl[0], "", data, nil)
+		if err := group.RenderHtmlTemplate(w, tmpl[0], "", data, nil); err != nil {
+			fmt.Printf("Error rendering template: %v\n", err)
+		}
 	}
 }
 

fetch.go

@@ -58,7 +58,7 @@ func FetchSource(config *VendorConfig, sourceName string) (*FetchResult, error)
 	}
 
 	// Create destination directory
-	if err := os.MkdirAll(destDir, 0755); err != nil {
+	if err := os.MkdirAll(destDir, 0750); err != nil {
 		return nil, fmt.Errorf("failed to create destination: %w", err)
 	}
 
@@ -111,7 +111,7 @@ func fetchFromGitHub(source SourceConfig, destDir, ref string) (string, int, err
 	tarballURL := fmt.Sprintf("https://codeload.github.com/%s/%s/tar.gz/%s", owner, repo, ref)
 
 	// Download tarball
-	resp, err := http.Get(tarballURL)
+	resp, err := http.Get(tarballURL) // #nosec G107 -- URL constructed from validated GitHub owner/repo
 	if err != nil {
 		return "", 0, fmt.Errorf("failed to download tarball: %w", err)
 	}
@@ -239,31 +239,31 @@ func extractTarGz(reader io.Reader, destDir, subPath string, include, exclude []
 
 		switch header.Typeflag {
 		case tar.TypeDir:
-			if err := os.MkdirAll(destPath, 0755); err != nil {
+			if err := os.MkdirAll(destPath, 0750); err != nil {
 				return filesExtracted, fmt.Errorf("failed to create directory %s: %w", destPath, err)
 			}
 		case tar.TypeReg, tar.TypeRegA:
 			// Ensure parent directory exists
-			if err := os.MkdirAll(filepath.Dir(destPath), 0755); err != nil {
+			if err := os.MkdirAll(filepath.Dir(destPath), 0750); err != nil {
 				return filesExtracted, fmt.Errorf("failed to create parent directory: %w", err)
 			}
 
-			// Create file
-			outFile, err := os.Create(destPath)
+			// Create file with restricted permissions
+			outFile, err := os.OpenFile(filepath.Clean(destPath), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
 			if err != nil {
 				return filesExtracted, fmt.Errorf("failed to create file %s: %w", destPath, err)
 			}
 
-			if _, err := io.Copy(outFile, tr); err != nil {
-				outFile.Close()
+			// Limit copy size to prevent decompression bombs (256MB per file)
+			const maxFileSize = 256 << 20
+			if _, err := io.Copy(outFile, io.LimitReader(tr, maxFileSize)); err != nil {
+				_ = outFile.Close()
 				return filesExtracted, fmt.Errorf("failed to write file %s: %w", destPath, err)
 			}
-			outFile.Close()
+			_ = outFile.Close()
 
-			// Set file permissions
-			if err := os.Chmod(destPath, os.FileMode(header.Mode)); err != nil {
-				// Non-fatal, just log
-			}
+			// Set file permissions (mask to permission bits only)
+			_ = os.Chmod(destPath, os.FileMode(header.Mode)&os.ModePerm) // #nosec G115
 
 			filesExtracted++
 		}
@@ -385,7 +385,7 @@ it is a build artifact that should be regenerated from the config file.
 		configName, info.FetchCmd, dirName)
 
 	readmePath := filepath.Join(vendorDir, "README.md")
-	return os.WriteFile(readmePath, []byte(readme), 0644)
+	return os.WriteFile(readmePath, []byte(readme), 0600)
 }
 
 // FetchAllSources fetches all sources defined in the config
@@ -440,7 +440,7 @@ func WriteLockFileFor(path string, lock *VendorLock, info ToolInfo) error {
 
 	content := header + string(data)
 
-	if err := os.WriteFile(path, []byte(content), 0644); err != nil {
+	if err := os.WriteFile(filepath.Clean(path), []byte(content), 0600); err != nil {
 		return fmt.Errorf("failed to write lock file: %w", err)
 	}
 
@@ -449,7 +449,7 @@ func WriteLockFileFor(path string, lock *VendorLock, info ToolInfo) error {
 
 // LoadLockFile loads a VendorLock from the specified path
 func LoadLockFile(path string) (*VendorLock, error) {
-	data, err := os.ReadFile(path)
+	data, err := os.ReadFile(filepath.Clean(path))
 	if err != nil {
 		return nil, fmt.Errorf("failed to read lock file: %w", err)
 	}

fs.go

@@ -139,7 +139,7 @@ func (g *FileSystemLoader) readTemplate(folder, name string, fsys fs.FS) ([]byte
 	if err != nil || info.IsDir() {
 		return nil, "", fmt.Errorf("not found: %s", fname)
 	}
-	data, err := os.ReadFile(fname)
+	data, err := os.ReadFile(filepath.Clean(fname))
 	return data, fname, err
 }
 

memstats.go

@@ -166,11 +166,11 @@ func NewMemDelta(from, to *MemSnapshot) *MemDelta {
 		FromName:         from.Name,
 		ToName:           to.Name,
 		Duration:         to.Timestamp.Sub(from.Timestamp),
-		AllocDelta:       int64(to.Alloc) - int64(from.Alloc),
-		TotalAllocDelta:  int64(to.TotalAlloc) - int64(from.TotalAlloc),
-		HeapObjectsDelta: int64(to.HeapObjects) - int64(from.HeapObjects),
-		HeapInuseDelta:   int64(to.HeapInuse) - int64(from.HeapInuse),
-		NumGCDelta:       int32(to.NumGC) - int32(from.NumGC),
+		AllocDelta:       int64(to.Alloc) - int64(from.Alloc),           // #nosec G115 -- runtime.MemStats values won't exceed int64 max
+		TotalAllocDelta:  int64(to.TotalAlloc) - int64(from.TotalAlloc), // #nosec G115
+		HeapObjectsDelta: int64(to.HeapObjects) - int64(from.HeapObjects), // #nosec G115
+		HeapInuseDelta:   int64(to.HeapInuse) - int64(from.HeapInuse),   // #nosec G115
+		NumGCDelta:       int32(to.NumGC) - int32(from.NumGC),           // #nosec G115
 	}
 }
 

source_loader.go

@@ -51,7 +51,7 @@ func LoadVendorConfig(path string) (*VendorConfig, error) {
 // defaults from the given ToolInfo. Embedding applications use this to set their
 // own default vendor directory when the config file doesn't specify one.
 func LoadVendorConfigWithDefaults(path string, info ToolInfo) (*VendorConfig, error) {
-	data, err := os.ReadFile(path)
+	data, err := os.ReadFile(filepath.Clean(path))
 	if err != nil {
 		return nil, fmt.Errorf("failed to read config file: %w", err)
 	}