Merge pull request #2553 from keboola/jt-linter

Author: jachym-tousek-keboola

cmd/templates-api/main.go

@@ -38,6 +38,9 @@ const (
 	ENVPrefix         = "TEMPLATES_"
 	ErrorNamePrefix   = "templates."
 	ExceptionIdPrefix = "keboola-templates-"
+
+	//nolint:gosec // G101: This is a header name constant, not hardcoded credentials
+	StorageTokenHeader = "X-StorageAPI-Token"
 )
 
 func main() {
@@ -126,7 +129,7 @@ func run(ctx context.Context, cfg config.Config, _ []string) error {
 		ExceptionIDPrefix: ExceptionIdPrefix,
 		EnableGzip:        true, // Enable gzip compression for responses
 		MiddlewareOptions: []middleware.Option{
-			middleware.WithRedactedHeader("X-StorageAPI-Token"),
+			middleware.WithRedactedHeader(StorageTokenHeader),
 			middleware.WithPropagators(propagation.TraceContext{}),
 			middleware.WithFilter(func(req *http.Request) bool {
 				return req.URL.Path != "/health-check"
@@ -152,7 +155,7 @@ func run(ctx context.Context, cfg config.Config, _ []string) error {
 			middleware.ProjectScope(middleware.ProjectScopeConfig{
 				ProjectScopeCtxKey: dependencies.ProjectRequestScopeCtxKey,
 				PublicScopeCtxKey:  dependencies.PublicRequestScopeCtxKey,
-				TokenHeader:        "X-StorageAPI-Token",
+				TokenHeader:        StorageTokenHeader,
 				CreateProjectScope: func(ctx context.Context, publicScope any, token string) (any, error) {
 					pubScp, ok := publicScope.(dependencies.PublicRequestScope)
 					if !ok {

internal/pkg/project/ignore/ignore.go

@@ -37,16 +37,16 @@ func (f *File) parseIgnoredPatterns() []string {
 // applyIgnorePattern applies a single ignore pattern, marking the appropriate config or row as ignored.
 func (f *File) applyIgnorePattern(ignoreConfig string) error {
 	// Branch pattern: "branch/<name>" — name may itself contain "/".
-	if strings.HasPrefix(ignoreConfig, "branch/") {
-		branchName := strings.TrimPrefix(ignoreConfig, "branch/")
+	if after, ok := strings.CutPrefix(ignoreConfig, "branch/"); ok {
+		branchName := after
 		f.state.IgnoreBranch(branchName)
 		return nil
 	}
 
 	// Field-level ignore: "componentID/configID:fieldName"
-	if colonIdx := strings.Index(ignoreConfig, ":"); colonIdx != -1 {
-		objectPath := ignoreConfig[:colonIdx]
-		fieldName := ignoreConfig[colonIdx+1:]
+	if before, after, ok := strings.Cut(ignoreConfig, ":"); ok {
+		objectPath := before
+		fieldName := after
 		if fieldName == "" || strings.HasPrefix(fieldName, ".") || strings.HasSuffix(fieldName, ".") {
 			return errors.Errorf("invalid field-ignore format %q, expected componentID/configID:fieldName", ignoreConfig)
 		}

internal/pkg/service/appsproxy/dataapps/api/rule_test.go

@@ -129,7 +129,7 @@ func TestRule_Match(t *testing.T) {
 	}
 
 	for _, tc := range cases {
-		matched, err := tc.Rule.Match(httptest.NewRequest(http.MethodGet, tc.URL, nil))
+		matched, err := tc.Rule.Match(httptest.NewRequestWithContext(t.Context(), http.MethodGet, tc.URL, nil))
 		assert.Equal(t, tc.ExpectedMatch, matched, tc.Description)
 		if tc.ExpectedErr == "" {
 			require.NoError(t, err, tc.Description)

internal/pkg/service/appsproxy/dataapps/appconfig/middleware_test.go

@@ -48,7 +48,7 @@ func TestAppConfigMiddleware(t *testing.T) {
 
 	// Send logged request
 	rec := httptest.NewRecorder()
-	req := httptest.NewRequest(http.MethodGet, "https://app-1.example.com/api/action", nil)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "https://app-1.example.com/api/action", nil)
 	req.Header.Set("User-Agent", "my-user-agent")
 	handler.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusOK, rec.Code)

internal/pkg/service/appsproxy/dataapps/k8sapp/appinfo.go

@@ -50,7 +50,7 @@ type AppInfo struct {
 
 type appStatus struct {
 	CurrentState AppActualState `json:"currentState"`
-	AppsProxy    appsProxy      `json:"appsProxy,omitempty"`
+	AppsProxy    appsProxy      `json:"appsProxy"`
 }
 
 type appsProxy struct {

internal/pkg/service/appsproxy/proxy/apphandler/authproxy/basicauth/handler.go

@@ -101,8 +101,18 @@ func (h *Handler) ServeHTTPOrError(w http.ResponseWriter, req *http.Request) err
 		return nil
 	}
 
+	// Limit request body size to prevent memory exhaustion attacks
+	req.Body = http.MaxBytesReader(w, req.Body, 1<<20) // 1MB limit
 	if err := req.ParseForm(); err != nil {
-		return err
+		var maxBytesErr *http.MaxBytesError
+		if errors.As(err, &maxBytesErr) {
+			// Request body exceeded the configured limit
+			h.pageWriter.WriteErrorPage(w, req, &h.app, http.StatusRequestEntityTooLarge, "Request body too large", "")
+			return nil
+		}
+		// Any other form parsing error is treated as a bad request
+		h.pageWriter.WriteErrorPage(w, req, &h.app, http.StatusBadRequest, "Invalid form data", "")
+		return nil
 	}
 
 	// CSRF token validation

internal/pkg/service/appsproxy/proxy/server_test.go

@@ -86,36 +86,36 @@ func TestAppProxyHandler(t *testing.T) {
 
 	// Get robots.txt
 	rec := httptest.NewRecorder()
-	req := httptest.NewRequest(http.MethodGet, "https://hub.keboola.local/robots.txt", nil)
+	req := httptest.NewRequestWithContext(t.Context(), http.MethodGet, "https://hub.keboola.local/robots.txt", nil)
 	handler.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusOK, rec.Code)
 	assert.Contains(t, rec.Body.String(), "Disallow: /")
 
 	// Get missing asset
 	rec = httptest.NewRecorder()
-	req = httptest.NewRequest(http.MethodGet, "https://hub.keboola.local/_proxy/assets/foo.bar", nil)
+	req = httptest.NewRequestWithContext(t.Context(), http.MethodGet, "https://hub.keboola.local/_proxy/assets/foo.bar", nil)
 	handler.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusNotFound, rec.Code)
 
 	// Invalid host
 	rec = httptest.NewRecorder()
-	req = httptest.NewRequest(http.MethodGet, "https://public-123.foo.bar.local/path", nil)
+	req = httptest.NewRequestWithContext(t.Context(), http.MethodGet, "https://public-123.foo.bar.local/path", nil)
 	req.Header.Set("User-Agent", "my-user-agent")
 	handler.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusBadRequest, rec.Code)
 	assert.Contains(t, rec.Body.String(), "Unexpected domain, missing application ID.")
 
 	// Send logged request
 	rec = httptest.NewRecorder()
-	req = httptest.NewRequest(http.MethodGet, "https://public-123.hub.keboola.local/path", nil)
+	req = httptest.NewRequestWithContext(t.Context(), http.MethodGet, "https://public-123.hub.keboola.local/path", nil)
 	req.Header.Set("User-Agent", "my-user-agent")
 	handler.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusOK, rec.Code)
 	assert.Equal(t, "Hello, client", rec.Body.String())
 
 	// Send ignored request
 	rec = httptest.NewRecorder()
-	req = httptest.NewRequest(http.MethodGet, "https://hub.keboola.local/health-check", nil)
+	req = httptest.NewRequestWithContext(t.Context(), http.MethodGet, "https://hub.keboola.local/health-check", nil)
 	req.Header.Set("User-Agent", "my-user-agent")
 	handler.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusOK, rec.Code)

internal/pkg/service/cli/cmd/cmd.go

@@ -293,7 +293,7 @@ func (root *RootCommand) listAliases() string {
 	var out strings.Builder
 	for i, cmd := range root.aliases.Keys() {
 		tmpl := fmt.Sprintf("  %%-%ds  %%s\n", maxLength)
-		out.WriteString(fmt.Sprintf(tmpl, cmd, lines[i]))
+		fmt.Fprintf(&out, tmpl, cmd, lines[i])
 	}
 	return strings.TrimRight(out.String(), "\n")
 }

internal/pkg/service/cli/cmd/template/create/dialog.go

@@ -360,9 +360,9 @@ Do not edit lines starting with "#"!
 	var lines strings.Builder
 	lines.WriteString(fileHeader)
 	for _, c := range d.configs {
-		lines.WriteString(fmt.Sprintf("## Config \"%s\" %s:%s\n%s\n\n", c.Name, c.ComponentID, c.ID, idByKey[c.Key().String()]))
+		fmt.Fprintf(&lines, "## Config \"%s\" %s:%s\n%s\n\n", c.Name, c.ComponentID, c.ID, idByKey[c.Key().String()])
 		for _, r := range c.Rows {
-			lines.WriteString(fmt.Sprintf("### Row \"%s\" %s:%s:%s\n%s\n\n", r.Name, r.ComponentID, r.ConfigID, r.ID, idByKey[r.Key().String()]))
+			fmt.Fprintf(&lines, "### Row \"%s\" %s:%s:%s\n%s\n\n", r.Name, r.ComponentID, r.ConfigID, r.ID, idByKey[r.Key().String()])
 		}
 	}
 

internal/pkg/service/cli/dialog/allowed_branches.go

@@ -194,7 +194,7 @@ func (d *branchesDialog) unique(items model.AllowedBranches) model.AllowedBranch
 		m.Set(string(item), true)
 	}
 
-	unique := model.AllowedBranches{}
+	unique := make(model.AllowedBranches, 0, len(m.Keys()))
 	for _, item := range m.Keys() {
 		unique = append(unique, model.AllowedBranch(item))
 	}