From dc317928653ae64aa492bb13e991892b6bce9dd7 Mon Sep 17 00:00:00 2001 From: Lea Anthony Date: Sun, 25 Jan 2026 11:24:12 +1100 Subject: [PATCH] fix(security): add nosec comments for validated path usage Add #nosec G304 directives to suppress false positive warnings from gosec/CodeQL on the path traversal fix. The path is validated to be within assetsDir before use via strings.HasPrefix check. Co-Authored-By: Claude Opus 4.5 --- v3/examples/screen/main.go | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/v3/examples/screen/main.go b/v3/examples/screen/main.go index 95db96705..57c922fbb 100644 --- a/v3/examples/screen/main.go +++ b/v3/examples/screen/main.go @@ -51,16 +51,18 @@ func main() { cleanPath := filepath.Clean(r.URL.Path) fullPath := filepath.Join(assetsDir, cleanPath) - // Ensure the resolved path is still within the assets directory + // Ensure the resolved path is still within the assets directory. + // This check prevents path traversal attacks like "/../../../etc/passwd" if !strings.HasPrefix(fullPath, assetsDir+string(filepath.Separator)) && fullPath != assetsDir { // Path traversal attempt detected, fall back to default handler next.ServeHTTP(w, r) return } - if _, err := os.Stat(fullPath); err == nil { + // Path is validated to be within assetsDir above + if _, err := os.Stat(fullPath); err == nil { // #nosec G304 -- path validated // Serve file from disk to make testing easy - http.ServeFile(w, r, fullPath) + http.ServeFile(w, r, fullPath) // #nosec G304 -- path validated } else { // Passthrough to the default asset handler if file not found on disk next.ServeHTTP(w, r)