Merge branch 'main' into dependabot/go_modules/github.com/spf13/cobra-1.10.2

Author: aksOps

internal/crawler/crawler.go

@@ -274,8 +274,7 @@ func extractLinks(client *http.Client, pageURL string, base *url.URL) []string {
 }
 
 func resolveURL(base, href string) string {
-	if strings.HasPrefix(href, "#") || strings.HasPrefix(href, "mailto:") ||
-		strings.HasPrefix(href, "javascript:") {
+	if strings.HasPrefix(href, "#") {
 		return ""
 	}
 	b, err := url.Parse(base)
@@ -286,6 +285,15 @@ func resolveURL(base, href string) string {
 	if err != nil {
 		return ""
 	}
+	// Reject any href with an explicit scheme other than http/https.
+	// This allow-list covers mailto:, javascript:, data:, vbscript:,
+	// tel:, file:, blob:, and anything else we don't crawl.
+	if h.Scheme != "" {
+		s := strings.ToLower(h.Scheme)
+		if s != "http" && s != "https" {
+			return ""
+		}
+	}
 	resolved := b.ResolveReference(h)
 	resolved.Fragment = ""
 	resolved.RawQuery = ""

internal/crawler/crawler_test.go

@@ -0,0 +1,34 @@
+package crawler
+
+import "testing"
+
+func TestResolveURL_SchemeAllowList(t *testing.T) {
+	const base = "https://example.com/docs/"
+	cases := []struct {
+		name string
+		href string
+		want string
+	}{
+		{"relative path", "guide.html", "https://example.com/docs/guide.html"},
+		{"absolute http", "http://example.com/x", "http://example.com/x"},
+		{"absolute https", "https://example.com/x", "https://example.com/x"},
+		{"fragment only", "#anchor", ""},
+		{"mailto", "mailto:a@b.c", ""},
+		{"javascript", "javascript:alert(1)", ""},
+		{"javascript case", "JavaScript:alert(1)", ""},
+		{"data uri", "data:text/html,<script>alert(1)</script>", ""},
+		{"vbscript", "vbscript:msgbox(1)", ""},
+		{"tel", "tel:+15555555555", ""},
+		{"file", "file:///etc/passwd", ""},
+		{"blob", "blob:https://example.com/abc", ""},
+		{"ftp", "ftp://example.com/file", ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := resolveURL(base, tc.href)
+			if got != tc.want {
+				t.Errorf("resolveURL(%q, %q) = %q, want %q", base, tc.href, got, tc.want)
+			}
+		})
+	}
+}

internal/hookinstaller/installer.go

@@ -131,8 +131,8 @@ func writeJSONMapAtomic(path string, data map[string]json.RawMessage) error {
 		cleanup()
 		return fmt.Errorf("close temp: %w", err)
 	}
-	// 0o644 — standard config perms. Writable by user only.
-	if err := os.Chmod(tmpPath, 0o644); err != nil {
+	// 0o600 — user-only read/write. No group/world bits.
+	if err := os.Chmod(tmpPath, 0o600); err != nil {
 		cleanup()
 		return fmt.Errorf("chmod temp: %w", err)
 	}
@@ -163,19 +163,19 @@ func validateHookPath(p string) error {
 	return nil
 }
 
-// ExtractHookScript writes the embedded hook.sh to dest with 0o755 perms.
+// ExtractHookScript writes the embedded hook.sh to dest with 0o700 perms.
 // Creates the parent directory if missing. Overwrites existing files —
 // callers that want to preserve a user-modified hook should check first.
 func ExtractHookScript(dest string) error {
-	if err := os.MkdirAll(filepath.Dir(dest), 0o755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dest), 0o700); err != nil {
 		return fmt.Errorf("mkdir %s: %w", filepath.Dir(dest), err)
 	}
-	if err := os.WriteFile(dest, HookScript, 0o755); err != nil {
+	if err := os.WriteFile(dest, HookScript, 0o700); err != nil {
 		return fmt.Errorf("write %s: %w", dest, err)
 	}
 	// WriteFile masks perms through umask on create; reset explicitly so
-	// the resulting file is reliably executable.
-	if err := os.Chmod(dest, 0o755); err != nil {
+	// the resulting file is reliably executable for the owner only.
+	if err := os.Chmod(dest, 0o700); err != nil {
 		return fmt.Errorf("chmod %s: %w", dest, err)
 	}
 	return nil

internal/vectorindex/hnsw_test.go

@@ -215,6 +215,13 @@ func TestHNSW_Recall10k(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping 10k benchmark in -short")
 	}
+	if raceEnabled {
+		// Workload is fully sequential (no goroutines), so the race
+		// detector has nothing to catch here — it just adds ~10× overhead
+		// that dominates CI. Concurrency correctness is covered by
+		// TestHNSW_ConcurrentAddSearch, which DOES run under -race.
+		t.Skip("skipping 10k recall benchmark under -race (sequential workload)")
+	}
 	const (
 		n   = 10_000
 		dim = 384

internal/vectorindex/race_off.go

@@ -0,0 +1,5 @@
+//go:build !race
+
+package vectorindex
+
+const raceEnabled = false

internal/vectorindex/race_on.go

@@ -0,0 +1,10 @@
+//go:build race
+
+package vectorindex
+
+// raceEnabled reports whether the package was compiled with -race.
+// Some long-running deterministic benchmarks (e.g. TestHNSW_Recall10k)
+// gain nothing from the race detector — they're sequential — and pay
+// ~10× overhead that dominates CI time. Those tests skip when this is
+// true, leaving the explicitly concurrent tests to exercise the detector.
+const raceEnabled = true