fix(security): add nosec comments for validated path usage

Add #nosec G304 directives to suppress false positive warnings from gosec/CodeQL on the path traversal fix. The path is validated to be within assetsDir before use via strings.HasPrefix check. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-14 14:45:49 +01:00 · 2026-01-25 11:24:12 +11:00 · 2026-01-25 11:24:12 +11:00 · dc31792865
commit dc31792865
parent b97ca22a48
1 changed files with 5 additions and 3 deletions
--- a/v3/examples/screen/main.go
+++ b/v3/examples/screen/main.go
@ -51,16 +51,18 @@ func main() {
 					cleanPath := filepath.Clean(r.URL.Path)
 					fullPath := filepath.Join(assetsDir, cleanPath)

-					// Ensure the resolved path is still within the assets directory
+					// Ensure the resolved path is still within the assets directory.
+					// This check prevents path traversal attacks like "/../../../etc/passwd"
 					if !strings.HasPrefix(fullPath, assetsDir+string(filepath.Separator)) && fullPath != assetsDir {
 						// Path traversal attempt detected, fall back to default handler
 						next.ServeHTTP(w, r)
 						return
 					}

-					if _, err := os.Stat(fullPath); err == nil {
+					// Path is validated to be within assetsDir above
+					if _, err := os.Stat(fullPath); err == nil { // #nosec G304 -- path validated
 						// Serve file from disk to make testing easy
-						http.ServeFile(w, r, fullPath)
+						http.ServeFile(w, r, fullPath) // #nosec G304 -- path validated
 					} else {
 						// Passthrough to the default asset handler if file not found on disk
 						next.ServeHTTP(w, r)