ci(golangci-lint): enable strict lint gate#782
Conversation
github-actions
Bot
added
compiler
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0bddd2aec3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // path rather than a PATH lookup inside the sandbox. | ||
| func resolveGoRoot() (string, error) { | ||
| goRoot := strings.TrimSpace(runtime.GOROOT()) | ||
| output, err := exec.Command("go", "env", "GOROOT").Output() |
There was a problem hiding this comment.
In hosted playground runs, resolveGoRoot executes before LaunchSandbox/ConfineToSandbox and now resolves go through the host PATH. If that environment contains an attacker-writable directory, submitted code can supply a fake go that runs outside the sandbox or returns an arbitrary GOROOT to mount, undermining the fail-closed sandbox boundary. Use the baked-in runtime.GOROOT() or another trusted absolute toolchain path instead.
Useful? React with 👍 / 👎.
| request.Header.Del("Accept-Encoding") | ||
| proxy := &httputil.ReverseProxy{ | ||
| Rewrite: func(proxyRequest *httputil.ProxyRequest) { | ||
| proxyRequest.SetURL(target) |
There was a problem hiding this comment.
For requests proxied by gowdk dev, ProxyRequest.SetURL rewrites the outbound Host to the runtime target port, unlike the previous NewSingleHostReverseProxy behavior. The runtime's safeRedirectPath accepts an absolute same-origin Referer only when it matches request.Host, so browser redirects from the dev host (for example cookie acknowledgement back to 127.0.0.1:8080/foo) now see request.Host as the hidden runtime port and fall back to /. Set proxyRequest.Out.Host = proxyRequest.In.Host after SetURL.
Useful? React with 👍 / 👎.
| case buildValueString: | ||
| encoded, _ := json.Marshal(v.text) | ||
| return string(encoded) | ||
| return strconv.Quote(v.text) |
There was a problem hiding this comment.
When a build {} object/list contains a string with a control byte (for example "\x00"), buildFieldValueFromString unquotes it into a NUL byte and this line serializes it with strconv.Quote, producing Go-only escapes such as "\x00" instead of valid JSON (json.Valid rejects that form). The comment and downstream build-data map expect canonical JSON text, so generated data can no longer be parsed by JSON clients; keep using encoding/json for strings and object keys.
Useful? React with 👍 / 👎.
1 participant
Summary
golangci-lintv2.12.2 configuration, pinned local runner, and GitHub Actions lint workflow.Issue Closure
Related: lint gate hardening; no issue auto-close.
Verification
scripts/test-go-modules.shwhen Go code or compiler behavior changed.go build ./cmd/gowdkwhen CLI, compiler, runtime, addon, or release behavior changed.node --check editors/vscode/extension.jswhen editor files changed.Commands run:
scripts/check-golangci-lint.sh->0 issues.go test ./internal/publicapi -count=1go test ./internal/gowdkcmd -run 'TestBuildCommandProductionScansFinalArtifactsForSecrets|TestBuildCommandProductionBlocksInsecureAuditFindings|TestComputeAuditDiffClassifiesIntroducedResolvedUnchanged' -count=1go build ./cmd/gowdkgit diff --checkKnown gap: full
go test ./...was attempted earlier, but the existing nestedinternal/gowdkcmdintegration tests ran excessively long. This PR is validated with the lint gate and focused tests for the touched late fixes.LLM Assistance
main, resolved conflicts, and opened this draft PR.internal/gowdkcmdintegration tests can complete.