fix(security): address remaining gosec issues (G115, G304, G104)

TeleGhost Dev · TeleGhost Dev · commit 0c0094acf87d · 2026-02-14T18:11:38.000+05:00
diff --git a/internal/appcore/reseed.go b/internal/appcore/reseed.go
@@ -3,10 +3,10 @@ package appcore
 import (
 	"archive/zip"
 	"crypto/rand"
-	"encoding/binary"
 	"fmt"
 	"io"
 	"log"
+	"math/big"
 	"os"
 	"path/filepath"
 	"strings"
@@ -54,9 +54,11 @@ func (a *AppCore) ExportReseed() (string, error) {
 	// Используем crypto/rand для перемешивания (чтобы не использовать слабый math/rand)
 	// Хотя math/rand здесь не критичен, gosec требует crypto/rand
 	for i := len(files) - 1; i > 0; i-- {
-		b := make([]byte, 8)
-		_, _ = rand.Read(b)
-		j := int(binary.BigEndian.Uint64(b) % uint64(i+1))
+		n, err := rand.Int(rand.Reader, big.NewInt(int64(i+1)))
+		if err != nil {
+			continue // Should not happen with rand.Reader
+		}
+		j := int(n.Int64())
 		files[i], files[j] = files[j], files[i]
 	}
 
diff --git a/internal/network/media/media_crypt.go b/internal/network/media/media_crypt.go
@@ -64,10 +64,12 @@ func (m *MediaCrypt) NewMediaHandler(storageDir string) http.Handler {
 		relPath := strings.TrimPrefix(r.URL.Path, "/secure/")
 		fullPath := filepath.Join(storageDir, relPath)
 
-		// Очищаем путь и проверяем, что он внутри хранилища (простая защита от ../)
+		// Очищаем путь и проверяем, что он внутри хранилища
 		cleanPath := filepath.Clean(fullPath)
-		if strings.Contains(cleanPath, "..") {
-			http.Error(w, "Invalid path", http.StatusBadRequest)
+		absStorage, _ := filepath.Abs(storageDir)
+		absClean, _ := filepath.Abs(cleanPath)
+		if !strings.HasPrefix(absClean, absStorage) {
+			http.Error(w, "Access denied", http.StatusForbidden)
 			return
 		}
 
diff --git a/internal/network/messenger/messenger.go b/internal/network/messenger/messenger.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"math"
 	"net"
 	"sync"
 	"time"
@@ -384,6 +385,10 @@ func (s *Service) writePacket(conn net.Conn, data []byte) error {
 	_ = conn.SetWriteDeadline(time.Now().Add(ConnectionTimeout))
 
 	// Пишем размер (4 байта, big endian)
+	const maxUint32 = math.MaxUint32
+	if uint64(len(data)) > maxUint32 {
+		return fmt.Errorf("packet too large for uint32: %d", len(data))
+	}
 	if len(data) > 100*1024*1024 { // 100 MB limit for safety
 		return fmt.Errorf("packet too large: %d", len(data))
 	}
diff --git a/internal/utils/image.go b/internal/utils/image.go
@@ -30,7 +30,7 @@ func CompressImage(path string, maxWidth, maxHeight uint) ([]byte, string, int,
 
 	// If image is small enough, don't resize, just re-encode (or keep original if raw needed, but this function implies compression)
 	// Actually, we should resize if it's huge.
-	if uint(width) > maxWidth || uint(height) > maxHeight {
+	if (width > 0 && uint(width) > maxWidth) || (height > 0 && uint(height) > maxHeight) {
 		img = resize.Thumbnail(maxWidth, maxHeight, img, resize.Lanczos3)
 		width = img.Bounds().Dx()
 		height = img.Bounds().Dy()
