Skip to content

fix: use os.Root to resolve gosec G122 lint in man page generation#730

Merged
bupd merged 2 commits into
goharbor:mainfrom
Sypher845:fix/gosec-g122-man-doc-lint
Mar 7, 2026
Merged

fix: use os.Root to resolve gosec G122 lint in man page generation#730
bupd merged 2 commits into
goharbor:mainfrom
Sypher845:fix/gosec-g122-man-doc-lint

Conversation

@Sypher845

@Sypher845 Sypher845 commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

Fixes #729

In doc/man-docs/man-doc.go to avoid TOCTOU race condition the following changes were made,

Before

  • Used filepath.Walk with os.ReadFile and os.WriteFile using full file paths directly
  • These file operations could be tricked into reading/writing unintended files if symlinks were swapped in between

After

  • Used os.OpenRoot to scope all file operations to the doc directory
  • Replaced filepath.Walk with filepath.WalkDir
  • File reads and writes now go through the root handle (root.Open, root.OpenFile), which prevents symlink escapes
  • No change in output, generated docs are identical

@Sypher845
fix: use os.Root to resolve gosec G122 lint in man page generation
2048102 
Signed-off-by: Sypher845 <suyashpatil845@gmail.com>
@codecov

codecov Bot commented Mar 6, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 7.44%. Comparing base (60ad0bd) to head (bb078c3).
⚠️ Report is 106 commits behind head on main.

Files with missing lines Patch % Lines
doc/man-docs/man_doc.go 0.00% 18 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff            @@
##             main    #730      +/-   ##
=========================================
- Coverage   10.99%   7.44%   -3.55%     
=========================================
  Files         173     261      +88     
  Lines        8671   12945    +4274     
=========================================
+ Hits          953     964      +11     
- Misses       7612   11872    +4260     
- Partials      106     109       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@bupd bupd requested review from bupd and Copilot and removed request for bupd March 7, 2026 18:52
@bupd bupd self-assigned this Mar 7, 2026
Copilot AI reviewed Mar 7, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the man page post-processing generator to address gosec G122 (TOCTOU) by scoping file reads/writes to a directory root handle, preventing symlink traversal escapes during cleanup.

Changes:

  • Introduces os.OpenRoot and routes file I/O through the root handle (root.Open, root.OpenFile)
  • Switches traversal from filepath.Walk to filepath.WalkDir
  • Replaces os.ReadFile/os.WriteFile with streaming read/write via io.ReadAll and Write

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread doc/man-docs/man_doc.go Outdated
Comment thread doc/man-docs/man_doc.go
Comment on lines +112 to 116
}
_, err = wf.Write([]byte(cleanedContent))
wf.Close()
if err != nil {
return err

Copilot AI Mar 7, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The file handles are closed without checking Close() errors, and the write path doesn’t guard against short writes. It’s safer to handle Close() errors (especially for writes) and ensure the full buffer is written, so failures (e.g., disk full / flush errors) aren’t silently ignored.

Copilot uses AI. Check for mistakes.
@bupd bupd mentioned this pull request Mar 7, 2026
Merged
bupd
bupd requested changes Mar 7, 2026
View reviewed changes

@bupd bupd left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please resolve requested changes.

@bupd
Update doc/man-docs/man_doc.go
bb078c3 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Prasanth Baskar <bupdprasanth@gmail.com>
@bupd

bupd commented Mar 7, 2026

Copy link
Copy Markdown
Member

fixed it for ya. !!

@bupd bupd merged commit 1f89cd1 into goharbor:main Mar 7, 2026
6 of 8 checks passed
chengjingtao pushed a commit to AlaudaDevops/harbor-cli that referenced this pull request Apr 16, 2026
@Sypher845 @bupd
fix: use os.Root to resolve gosec G122 lint in man page generation (g…
93a0ad2 
…oharbor#730)

Co-authored-by: Prasanth Baskar <bupdprasanth@gmail.com>
@chengjingtao chengjingtao mentioned this pull request Apr 16, 2026
Merged
4 tasks
chengjingtao added a commit to AlaudaDevops/harbor-cli that referenced this pull request Apr 16, 2026
@chengjingtao @Sypher845 @bupd
fix: use os.Root to resolve gosec G122 lint in man page generation (g…
9f3b558 
…oharbor#730) (#3)

Co-authored-by: suyash845 <162715611+Sypher845@users.noreply.github.com>
Co-authored-by: Prasanth Baskar <bupdprasanth@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bupd bupd bupd requested changes

Assignees

@bupd bupd

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

gosec G122 lint failure in doc/man-docs/man_doc.go

3 participants

@Sypher845 @bupd