fix: gosec errors

Author: devblac

config/config.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -115,8 +116,40 @@ func Load() (*Config, error) {
 	return cfg, nil
 }
 
+// validateConfigPath validates that the config file path is safe
+func validateConfigPath(path string) error {
+	if path == "" {
+		return errors.New("config file path cannot be empty")
+	}
+
+	// Clean the path to resolve any .. sequences
+	cleanPath := filepath.Clean(path)
+
+	// Check for path traversal attempts
+	if strings.Contains(cleanPath, "..") {
+		return errors.New("config file path contains invalid path traversal sequences")
+	}
+
+	// Ensure it's a JSON file
+	if !strings.HasSuffix(strings.ToLower(cleanPath), ".json") {
+		return errors.New("config file must have .json extension")
+	}
+
+	// Check that the file exists and is readable
+	if _, err := os.Stat(cleanPath); err != nil {
+		return fmt.Errorf("config file not accessible: %w", err)
+	}
+
+	return nil
+}
+
 // LoadFromFile loads configuration from a JSON file
 func LoadFromFile(path string) (*Config, error) {
+	// Validate the path for security
+	if err := validateConfigPath(path); err != nil {
+		return nil, fmt.Errorf("invalid config file path: %w", err)
+	}
+
 	data, err := os.ReadFile(path)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read config file %s: %w", path, err)

config/config_test.go

@@ -198,3 +198,72 @@ func TestSecrets(t *testing.T) {
 	value = store.GetWithDefault(ctx, testKey, defaultValue)
 	assert.Equal(t, testValue, value)
 }
+
+func TestValidateConfigPath(t *testing.T) {
+	tests := []struct {
+		name        string
+		path        string
+		expectError bool
+		setup       func() string // returns path to cleanup
+	}{
+		{
+			name:        "valid json file",
+			path:        "config_test.json",
+			expectError: false,
+			setup: func() string {
+				tmpFile, _ := os.CreateTemp("", "config_test_*.json")
+				tmpFile.WriteString("{}")
+				tmpFile.Close()
+				return tmpFile.Name()
+			},
+		},
+		{
+			name:        "empty path",
+			path:        "",
+			expectError: true,
+			setup:       func() string { return "" },
+		},
+		{
+			name:        "path traversal",
+			path:        "../../../etc/passwd",
+			expectError: true,
+			setup:       func() string { return "" },
+		},
+		{
+			name:        "non-json file",
+			path:        "config.txt",
+			expectError: true,
+			setup: func() string {
+				tmpFile, _ := os.CreateTemp("", "config_test_*.txt")
+				tmpFile.WriteString("{}")
+				tmpFile.Close()
+				return tmpFile.Name()
+			},
+		},
+		{
+			name:        "nonexistent file",
+			path:        "nonexistent.json",
+			expectError: true,
+			setup:       func() string { return "" },
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cleanupPath := tt.setup()
+			if cleanupPath != "" {
+				defer os.Remove(cleanupPath)
+				if tt.path == "config_test.json" || tt.path == "config.txt" {
+					tt.path = cleanupPath
+				}
+			}
+
+			err := validateConfigPath(tt.path)
+			if tt.expectError {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

leaderboard/skiplist.go

@@ -1,6 +1,8 @@
 package leaderboard
 
 import (
+	cryptorand "crypto/rand"
+	"encoding/binary"
 	"math/rand/v2"
 	"sync"
 
@@ -26,11 +28,20 @@ type SkipList struct {
 }
 
 func NewSkipList() *SkipList {
+	// Use crypto/rand to generate a secure seed for PCG
+	var seed [16]byte
+	if _, err := cryptorand.Read(seed[:]); err != nil {
+		// Fallback to zero seed if crypto/rand fails (extremely unlikely)
+		seed = [16]byte{}
+	}
+	seed1 := binary.BigEndian.Uint64(seed[:8])
+	seed2 := binary.BigEndian.Uint64(seed[8:])
+
 	return &SkipList{
 		head:   &node{},
 		lvl:    1,
 		byUser: map[core.UserID]*node{},
-		rng:    rand.New(rand.NewPCG(0, 0)),
+		rng:    rand.New(rand.NewPCG(seed1, seed2)),
 	}
 }