fix: resolve gosec lint warnings in proxysql provider

renecannao · renecannao · commit 764c79d996a7 · 2026-03-24T21:35:20.000Z
- Config file permissions tightened from 0644 to 0600 (G306)
- Script WriteFile 0755 annotated with nolint (scripts must be executable)
- exec.Command annotated with nolint (paths from trusted sandbox dirs)
diff --git a/providers/proxysql/proxysql.go b/providers/proxysql/proxysql.go
@@ -93,7 +93,7 @@ func (p *ProxySQLProvider) CreateSandbox(config providers.SandboxConfig) (*provi
 
 	cfgContent := GenerateConfig(proxyCfg)
 	cfgPath := filepath.Join(config.Dir, "proxysql.cnf")
-	if err := os.WriteFile(cfgPath, []byte(cfgContent), 0644); err != nil {
+	if err := os.WriteFile(cfgPath, []byte(cfgContent), 0600); err != nil {
 		return nil, fmt.Errorf("writing config: %w", err)
 	}
 
@@ -116,7 +116,7 @@ func (p *ProxySQLProvider) CreateSandbox(config providers.SandboxConfig) (*provi
 
 	for name, content := range scripts {
 		scriptPath := filepath.Join(config.Dir, name)
-		if err := os.WriteFile(scriptPath, []byte(content), 0755); err != nil {
+		if err := os.WriteFile(scriptPath, []byte(content), 0755); err != nil { //nolint:gosec // scripts must be executable
 			return nil, fmt.Errorf("writing script %s: %w", name, err)
 		}
 	}
@@ -129,7 +129,7 @@ func (p *ProxySQLProvider) CreateSandbox(config providers.SandboxConfig) (*provi
 }
 
 func (p *ProxySQLProvider) StartSandbox(dir string) error {
-	cmd := exec.Command("bash", filepath.Join(dir, "start"))
+	cmd := exec.Command("bash", filepath.Join(dir, "start")) //nolint:gosec // path is from trusted sandbox directory
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("start failed: %s: %w", string(output), err)
@@ -138,7 +138,7 @@ func (p *ProxySQLProvider) StartSandbox(dir string) error {
 }
 
 func (p *ProxySQLProvider) StopSandbox(dir string) error {
-	cmd := exec.Command("bash", filepath.Join(dir, "stop"))
+	cmd := exec.Command("bash", filepath.Join(dir, "stop")) //nolint:gosec // path is from trusted sandbox directory
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("stop failed: %s: %w", string(output), err)

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ func (p ProxySQLProvider) CreateSandbox(config providers.SandboxConfig) (provi`
`93`	`93`
`94`	`94`	`cfgContent := GenerateConfig(proxyCfg)`
`95`	`95`	`cfgPath := filepath.Join(config.Dir, "proxysql.cnf")`
`96`		`- if err := os.WriteFile(cfgPath, []byte(cfgContent), 0644); err != nil {`
	`96`	`+ if err := os.WriteFile(cfgPath, []byte(cfgContent), 0600); err != nil {`
`97`	`97`	`return nil, fmt.Errorf("writing config: %w", err)`
`98`	`98`	`}`
`99`	`99`
`@@ -116,7 +116,7 @@ func (p ProxySQLProvider) CreateSandbox(config providers.SandboxConfig) (provi`
`116`	`116`
`117`	`117`	`for name, content := range scripts {`
`118`	`118`	`scriptPath := filepath.Join(config.Dir, name)`
`119`		`- if err := os.WriteFile(scriptPath, []byte(content), 0755); err != nil {`
	`119`	`+ if err := os.WriteFile(scriptPath, []byte(content), 0755); err != nil { //nolint:gosec // scripts must be executable`
`120`	`120`	`return nil, fmt.Errorf("writing script %s: %w", name, err)`
`121`	`121`	`}`
`122`	`122`	`}`
`@@ -129,7 +129,7 @@ func (p ProxySQLProvider) CreateSandbox(config providers.SandboxConfig) (provi`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`func (p *ProxySQLProvider) StartSandbox(dir string) error {`
`132`		`- cmd := exec.Command("bash", filepath.Join(dir, "start"))`
	`132`	`+ cmd := exec.Command("bash", filepath.Join(dir, "start")) //nolint:gosec // path is from trusted sandbox directory`
`133`	`133`	`output, err := cmd.CombinedOutput()`
`134`	`134`	`if err != nil {`
`135`	`135`	`return fmt.Errorf("start failed: %s: %w", string(output), err)`
`@@ -138,7 +138,7 @@ func (p *ProxySQLProvider) StartSandbox(dir string) error {`
`138`	`138`	`}`
`139`	`139`
`140`	`140`	`func (p *ProxySQLProvider) StopSandbox(dir string) error {`
`141`		`- cmd := exec.Command("bash", filepath.Join(dir, "stop"))`
	`141`	`+ cmd := exec.Command("bash", filepath.Join(dir, "stop")) //nolint:gosec // path is from trusted sandbox directory`
`142`	`142`	`output, err := cmd.CombinedOutput()`
`143`	`143`	`if err != nil {`
`144`	`144`	`return fmt.Errorf("stop failed: %s: %w", string(output), err)`