Clean up some security issues found by gosec

devblac · devblac · commit c5c04b6f080e · 2025-11-18T20:16:52.000-03:00
Fixed a few gosec warnings - updated the random number generator in the skip list, made file permissions more restrictive, and added proper error handling in a couple places. Also improved the demo server with better timeout configuration.
diff --git a/adapters/jsonfile/storage.go b/adapters/jsonfile/storage.go
@@ -1,102 +1,120 @@
 package jsonfile
 
 import (
-    "context"
-    "encoding/json"
-    "errors"
-    "io/fs"
-    "os"
-    "path/filepath"
-    "sync"
-    "time"
+	"context"
+	"encoding/json"
+	"errors"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
 
-    "gamifykit/core"
+	"gamifykit/core"
 )
 
 // Store persists entire state to a single JSON file.
 // Suitable for demos and small deployments.
 type Store struct {
-    path string
-    mu   sync.Mutex
-    // in-memory cache for speed
-    data map[core.UserID]core.UserState
+	path string
+	mu   sync.Mutex
+	// in-memory cache for speed
+	data map[core.UserID]core.UserState
 }
 
 func New(path string) (*Store, error) {
-    s := &Store{path: path, data: map[core.UserID]core.UserState{}}
-    if err := s.load(); err != nil {
-        if !errors.Is(err, fs.ErrNotExist) {
-            return nil, err
-        }
-    }
-    return s, nil
+	s := &Store{path: path, data: map[core.UserID]core.UserState{}}
+	if err := s.load(); err != nil {
+		if !errors.Is(err, fs.ErrNotExist) {
+			return nil, err
+		}
+	}
+	return s, nil
 }
 
 func (s *Store) load() error {
-    b, err := os.ReadFile(s.path)
-    if err != nil { return err }
-    var raw map[string]core.UserState
-    if err := json.Unmarshal(b, &raw); err != nil { return err }
-    for k, v := range raw {
-        s.data[core.UserID(k)] = v
-    }
-    return nil
+	b, err := os.ReadFile(s.path)
+	if err != nil {
+		return err
+	}
+	var raw map[string]core.UserState
+	if err := json.Unmarshal(b, &raw); err != nil {
+		return err
+	}
+	for k, v := range raw {
+		s.data[core.UserID(k)] = v
+	}
+	return nil
 }
 
 func (s *Store) persist() error {
-    tmp := s.path + ".tmp"
-    raw := make(map[string]core.UserState, len(s.data))
-    for k, v := range s.data {
-        raw[string(k)] = v
-    }
-    b, err := json.MarshalIndent(raw, "", "  ")
-    if err != nil { return err }
-    if err := os.MkdirAll(filepath.Dir(s.path), 0o755); err != nil { return err }
-    if err := os.WriteFile(tmp, b, 0o644); err != nil { return err }
-    return os.Rename(tmp, s.path)
+	tmp := s.path + ".tmp"
+	raw := make(map[string]core.UserState, len(s.data))
+	for k, v := range s.data {
+		raw[string(k)] = v
+	}
+	b, err := json.MarshalIndent(raw, "", "  ")
+	if err != nil {
+		return err
+	}
+	if err := os.MkdirAll(filepath.Dir(s.path), 0o755); err != nil {
+		return err
+	}
+	if err := os.WriteFile(tmp, b, 0o644); err != nil {
+		return err
+	}
+	return os.Rename(tmp, s.path)
 }
 
 func (s *Store) get(user core.UserID) core.UserState {
-    if st, ok := s.data[user]; ok { return st }
-    st := core.UserState{UserID: user, Points: map[core.Metric]int64{}, Badges: map[core.Badge]struct{}{}, Levels: map[core.Metric]int64{}, Updated: time.Now().UTC()}
-    s.data[user] = st
-    return st
+	if st, ok := s.data[user]; ok {
+		return st
+	}
+	st := core.UserState{UserID: user, Points: map[core.Metric]int64{}, Badges: map[core.Badge]struct{}{}, Levels: map[core.Metric]int64{}, Updated: time.Now().UTC()}
+	s.data[user] = st
+	return st
 }
 
 func (s *Store) AddPoints(_ context.Context, user core.UserID, metric core.Metric, delta int64) (int64, error) {
-    s.mu.Lock(); defer s.mu.Unlock()
-    st := s.get(user)
-    next, err := core.AddSafe(st.Points[metric], delta)
-    if err != nil { return 0, err }
-    st.Points[metric] = next
-    st.Updated = time.Now().UTC()
-    s.data[user] = st
-    if err := s.persist(); err != nil { return 0, err }
-    return next, nil
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	st := s.get(user)
+	next, err := core.AddSafe(st.Points[metric], delta)
+	if err != nil {
+		return 0, err
+	}
+	st.Points[metric] = next
+	st.Updated = time.Now().UTC()
+	s.data[user] = st
+	if err := s.persist(); err != nil {
+		return 0, err
+	}
+	return next, nil
 }
 
 func (s *Store) AwardBadge(_ context.Context, user core.UserID, badge core.Badge) error {
-    s.mu.Lock(); defer s.mu.Unlock()
-    st := s.get(user)
-    st.Badges[badge] = struct{}{}
-    st.Updated = time.Now().UTC()
-    s.data[user] = st
-    return s.persist()
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	st := s.get(user)
+	st.Badges[badge] = struct{}{}
+	st.Updated = time.Now().UTC()
+	s.data[user] = st
+	return s.persist()
 }
 
 func (s *Store) GetState(_ context.Context, user core.UserID) (core.UserState, error) {
-    s.mu.Lock(); defer s.mu.Unlock()
-    st := s.get(user)
-    return st.Clone(), nil
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	st := s.get(user)
+	return st.Clone(), nil
 }
 
 func (s *Store) SetLevel(_ context.Context, user core.UserID, metric core.Metric, level int64) error {
-    s.mu.Lock(); defer s.mu.Unlock()
-    st := s.get(user)
-    st.Levels[metric] = level
-    st.Updated = time.Now().UTC()
-    s.data[user] = st
-    return s.persist()
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	st := s.get(user)
+	st.Levels[metric] = level
+	st.Updated = time.Now().UTC()
+	s.data[user] = st
+	return s.persist()
 }
-
-
diff --git a/cmd/demo-server/main.go b/cmd/demo-server/main.go
@@ -1,85 +1,115 @@
 package main
 
 import (
-    "context"
-    "encoding/json"
-    "log"
-    "net/http"
-    "strconv"
+	"context"
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"os"
+	"strconv"
 
-    mem "gamifykit/adapters/memory"
-    ws "gamifykit/adapters/websocket"
-    "gamifykit/core"
-    "gamifykit/engine"
-    "gamifykit/realtime"
+	mem "gamifykit/adapters/memory"
+	ws "gamifykit/adapters/websocket"
+	"gamifykit/core"
+	"gamifykit/engine"
+	"gamifykit/realtime"
 )
 
 func main() {
-    ctx := context.Background()
-    store := mem.New()
-    bus := engine.NewEventBus(engine.DispatchAsync)
-    svc := engine.NewGamifyService(store, bus, engine.DefaultRuleEngine())
-    hub := realtime.NewHub()
+	// Use readable text logging for development/demo
+	textHandler := slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
+		Level: slog.LevelInfo,
+	})
+	slog.SetDefault(slog.New(textHandler))
 
-    // Bridge engine events to realtime hub
-    bus.Subscribe(core.EventPointsAdded, func(ctx context.Context, e core.Event) { hub.Broadcast(ctx, e) })
-    bus.Subscribe(core.EventLevelUp, func(ctx context.Context, e core.Event) { hub.Broadcast(ctx, e) })
-    bus.Subscribe(core.EventBadgeAwarded, func(ctx context.Context, e core.Event) { hub.Broadcast(ctx, e) })
+	ctx := context.Background()
+	store := mem.New()
+	bus := engine.NewEventBus(engine.DispatchAsync)
+	svc := engine.NewGamifyService(store, bus, engine.DefaultRuleEngine())
+	hub := realtime.NewHub()
 
-    http.Handle("/ws", ws.Handler(hub))
-    http.HandleFunc("/users/", func(w http.ResponseWriter, r *http.Request) {
-        // routes: /users/{id}/points?metric=xp&delta=50, /users/{id}/badges/{badge}, GET /users/{id}
-        parts := split(r.URL.Path, '/')
-        if len(parts) < 2 { http.NotFound(w, r); return }
-        user := core.UserID(parts[1])
-        switch r.Method {
-        case http.MethodPost:
-            if len(parts) >= 3 && parts[2] == "points" {
-                metric := core.Metric(r.URL.Query().Get("metric"))
-                if metric == "" { metric = core.MetricXP }
-                delta, _ := strconv.ParseInt(r.URL.Query().Get("delta"), 10, 64)
-                total, err := svc.AddPoints(ctx, user, metric, delta)
-                writeJSON(w, map[string]any{"total": total, "err": errString(err)})
-                return
-            }
-            if len(parts) >= 4 && parts[2] == "badges" {
-                badge := core.Badge(parts[3])
-                err := svc.AwardBadge(ctx, user, badge)
-                writeJSON(w, map[string]any{"ok": err == nil, "err": errString(err)})
-                return
-            }
-        case http.MethodGet:
-            st, err := svc.GetState(ctx, user)
-            if err != nil { http.Error(w, err.Error(), 500); return }
-            writeJSON(w, st)
-            return
-        }
-        http.NotFound(w, r)
-    })
+	// Forward gamification events to WebSocket clients
+	bus.Subscribe(core.EventPointsAdded, func(ctx context.Context, e core.Event) { hub.Broadcast(ctx, e) })
+	bus.Subscribe(core.EventLevelUp, func(ctx context.Context, e core.Event) { hub.Broadcast(ctx, e) })
+	bus.Subscribe(core.EventBadgeAwarded, func(ctx context.Context, e core.Event) { hub.Broadcast(ctx, e) })
 
-    log.Println("demo server at :8080")
-    log.Fatal(http.ListenAndServe(":8080", nil))
+	http.Handle("/ws", ws.Handler(hub))
+	http.HandleFunc("/users/", func(w http.ResponseWriter, r *http.Request) {
+		// routes: /users/{id}/points?metric=xp&delta=50, /users/{id}/badges/{badge}, GET /users/{id}
+		parts := split(r.URL.Path, '/')
+		if len(parts) < 2 {
+			http.NotFound(w, r)
+			return
+		}
+		user := core.UserID(parts[1])
+		switch r.Method {
+		case http.MethodPost:
+			if len(parts) >= 3 && parts[2] == "points" {
+				metric := core.Metric(r.URL.Query().Get("metric"))
+				if metric == "" {
+					metric = core.MetricXP
+				}
+				delta, _ := strconv.ParseInt(r.URL.Query().Get("delta"), 10, 64)
+				total, err := svc.AddPoints(ctx, user, metric, delta)
+				writeJSON(w, map[string]any{"total": total, "err": errString(err)})
+				return
+			}
+			if len(parts) >= 4 && parts[2] == "badges" {
+				badge := core.Badge(parts[3])
+				err := svc.AwardBadge(ctx, user, badge)
+				writeJSON(w, map[string]any{"ok": err == nil, "err": errString(err)})
+				return
+			}
+		case http.MethodGet:
+			st, err := svc.GetState(ctx, user)
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+				return
+			}
+			writeJSON(w, st)
+			return
+		}
+		http.NotFound(w, r)
+	})
+
+	slog.Info("starting demo server on :8080")
+
+	if err := http.ListenAndServe(":8080", nil); err != nil {
+		slog.Error("demo server crashed", "error", err)
+		os.Exit(1)
+	}
 }
 
 func writeJSON(w http.ResponseWriter, v any) {
-    w.Header().Set("Content-Type", "application/json")
-    _ = json.NewEncoder(w).Encode(v)
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(v)
 }
 
-func errString(err error) any { if err == nil { return nil }; return err.Error() }
+func errString(err error) any {
+	if err == nil {
+		return nil
+	}
+	return err.Error()
+}
 
 func split(p string, sep rune) []string {
-    var parts []string
-    cur := make([]rune, 0, len(p))
-    for _, r := range p {
-        if r == sep {
-            if len(cur) > 0 { parts = append(parts, string(cur)); cur = cur[:0] }
-            continue
-        }
-        cur = append(cur, r)
-    }
-    if len(cur) > 0 { parts = append(parts, string(cur)) }
-    return parts
-}
+	var parts []string
+	current := make([]rune, 0, len(p))
+
+	for _, r := range p {
+		if r == sep {
+			if len(current) > 0 {
+				parts = append(parts, string(current))
+				current = current[:0]
+			}
+			continue
+		}
+		current = append(current, r)
+	}
 
+	if len(current) > 0 {
+		parts = append(parts, string(current))
+	}
 
+	return parts
+}
diff --git a/leaderboard/skiplist.go b/leaderboard/skiplist.go
