feat(BPAAS-2064): add gosec linter (#841)

Co-authored-by: shota silagadze <[email protected]>

Author: shotasilagadzetaal

.golangci.yml

@@ -12,6 +12,7 @@ linters:
     - staticcheck # is a go vet on steroids, applying a ton of static analysis checks
     - unused # checks for unused constants, variables, functions and types
     - sloglint # Ensure consistent code style when using log/slog
+    - gosec # inspects source code for security problems
 #    - asciicheck # checks that your code does not contain non-ASCII identifiers
 #    - bidichk # checks for dangerous unicode character sequences
 #    - bodyclose # checks whether HTTP response body is closed successfully
@@ -38,7 +39,6 @@ linters:
 #    - gomoddirectives # manages the use of 'replace', 'retract', and 'excludes' directives in go.mod
 #    - gomodguard # allow and block lists linter for direct Go module dependencies. This is different from depguard where there are different block types for example version constraints and module recommendations
 #    - goprintffuncname # checks that printf-like functions are named with f at the end
-#    - gosec # inspects source code for security problems
 #    - lll # reports long lines
 #    - loggercheck # checks key value pairs for common logger libraries (kitlog,klog,logr,zap)
 #    - makezero # finds slice declarations with non-zero initial length
@@ -81,6 +81,9 @@ linters:
 #    - wrapcheck # checks that errors returned from external packages are wrapped
 #    - zerologlint # detects the wrong usage of zerolog that a user forgets to dispatch zerolog.Event
   settings:
+    gosec:
+      includes:
+        - G115
     cyclop:
       max-complexity: 30
       package-average: 10

config/config.go

@@ -113,7 +113,7 @@ type BlocktxConfig struct {
 	MaxBlockProcessingDuration    time.Duration                      `mapstructure:"maxBlockProcessingDuration"`
 	MonitorPeers                  bool                               `mapstructure:"monitorPeers"`
 	FillGaps                      *FillGapsConfig                    `mapstructure:"fillGaps"`
-	MaxAllowedBlockHeightMismatch int                                `mapstructure:"maxAllowedBlockHeightMismatch"`
+	MaxAllowedBlockHeightMismatch uint64                             `mapstructure:"maxAllowedBlockHeightMismatch"`
 	MessageQueue                  *MessageQueueConfig                `mapstructure:"mq"`
 	P2pReadBufferSize             int                                `mapstructure:"p2pReadBufferSize"`
 	IncomingIsLongest             bool                               `mapstructure:"incomingIsLongest"`

go.mod

@@ -6,6 +6,7 @@ require (
 	github.com/bitcoinsv/bsvutil v0.0.0-20181216182056-1d77cf353ea9
 	github.com/bsv-blockchain/go-sdk v1.1.22
 	github.com/cbeuw/connutil v0.0.0-20200411215123-966bfaa51ee3
+	github.com/ccoveille/go-safecast v1.6.1
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/docker/docker v28.0.1+incompatible
 	github.com/enescakir/emoji v1.0.0

go.sum

@@ -664,6 +664,8 @@ github.com/bsv-blockchain/go-sdk v1.1.22 h1:R5o9spVEfCAt64We1CdyHkCuYT1sdTSfKXp3
 github.com/bsv-blockchain/go-sdk v1.1.22/go.mod h1:d0HXzhHy21t+7z+LBpDhGyJSBJb8S5HiAmHsBtRKddQ=
 github.com/cbeuw/connutil v0.0.0-20200411215123-966bfaa51ee3 h1:LRxW8pdmWmyhoNh+TxUjxsAinGtCsVGjsl3xg6zoRSs=
 github.com/cbeuw/connutil v0.0.0-20200411215123-966bfaa51ee3/go.mod h1:6jR2SzckGv8hIIS9zWJ160mzGVVOYp4AXZMDtacL6LE=
+github.com/ccoveille/go-safecast v1.6.1 h1:Nb9WMDR8PqhnKCVs2sCB+OqhohwO5qaXtCviZkIff5Q=
+github.com/ccoveille/go-safecast v1.6.1/go.mod h1:QqwNjxQ7DAqY0C721OIO9InMk9zCwcsO7tnRuHytad8=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=

internal/api/handler/default.go

@@ -14,6 +14,7 @@ import (
 	"github.com/bitcoin-sv/arc/internal/api/handler/internal/merkle_verifier"
 	"github.com/bitcoin-sv/arc/internal/metamorph"
 	"github.com/bitcoin-sv/arc/pkg/tracing"
+	"github.com/ccoveille/go-safecast"
 
 	sdkTx "github.com/bsv-blockchain/go-sdk/transaction"
 	"github.com/labstack/echo/v4"
@@ -44,8 +45,11 @@ var (
 )
 
 type ArcDefaultHandler struct {
-	TransactionHandler metamorph.TransactionHandler
-	NodePolicy         *bitcoin.Settings
+	TransactionHandler      metamorph.TransactionHandler
+	NodePolicy              *bitcoin.Settings
+	maxTxSizePolicy         uint64
+	maxTxSigopsCountsPolicy uint64
+	maxscriptsizepolicy     uint64
 
 	logger                        *slog.Logger
 	now                           func() time.Time
@@ -119,15 +123,37 @@ func NewDefault(
 ) (*ArcDefaultHandler, error) {
 	mr := merkle_verifier.New(merkleRootsVerifier)
 
+	var maxscriptsizepolicy, maxTxSigopsCountsPolicy, maxTxSizePolicy uint64
+	var err error
+	if policy != nil {
+		maxscriptsizepolicy, err = safecast.ToUint64(policy.MaxScriptSizePolicy)
+		if err != nil {
+			return nil, err
+		}
+
+		maxTxSigopsCountsPolicy, err = safecast.ToUint64(policy.MaxTxSigopsCountsPolicy)
+		if err != nil {
+			return nil, err
+		}
+
+		maxTxSizePolicy, err = safecast.ToUint64(policy.MaxTxSizePolicy)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	handler := &ArcDefaultHandler{
-		TransactionHandler: transactionHandler,
-		NodePolicy:         policy,
-		logger:             logger,
-		now:                time.Now,
-		mrVerifier:         mr,
-		txFinder:           cachedFinder,
-		mapExpiryTime:      mapExpiryTimeDefault,
-		defaultTimeout:     timeoutSecondsDefault * time.Second,
+		TransactionHandler:      transactionHandler,
+		NodePolicy:              policy,
+		logger:                  logger,
+		now:                     time.Now,
+		mrVerifier:              mr,
+		txFinder:                cachedFinder,
+		mapExpiryTime:           mapExpiryTimeDefault,
+		defaultTimeout:          timeoutSecondsDefault * time.Second,
+		maxTxSizePolicy:         maxTxSizePolicy,
+		maxTxSigopsCountsPolicy: maxTxSigopsCountsPolicy,
+		maxscriptsizepolicy:     maxscriptsizepolicy,
 	}
 
 	// apply options
@@ -147,10 +173,11 @@ func (m ArcDefaultHandler) GETPolicy(ctx echo.Context) (err error) {
 	satoshis, bytes := calcFeesFromBSVPerKB(m.NodePolicy.MinMiningTxFee)
 
 	return ctx.JSON(http.StatusOK, api.PolicyResponse{
+
 		Policy: api.Policy{
-			Maxscriptsizepolicy:     uint64(m.NodePolicy.MaxScriptSizePolicy),
-			Maxtxsigopscountspolicy: uint64(m.NodePolicy.MaxTxSigopsCountsPolicy),
-			Maxtxsizepolicy:         uint64(m.NodePolicy.MaxTxSizePolicy),
+			Maxscriptsizepolicy:     m.maxscriptsizepolicy,
+			Maxtxsigopscountspolicy: m.maxTxSigopsCountsPolicy,
+			Maxtxsizepolicy:         m.maxTxSizePolicy,
 			MiningFee: api.FeeAmount{
 				Bytes:    bytes,
 				Satoshis: satoshis,

internal/api/helpers.go

@@ -5,6 +5,6 @@ import (
 )
 
 func FeesToFeeModel(minMiningFee float64) *feemodel.SatoshisPerKilobyte {
-	satoshisPerKB := int(minMiningFee * 1e8)
-	return &feemodel.SatoshisPerKilobyte{Satoshis: uint64(satoshisPerKB)}
+	satoshisPerKB := uint64(minMiningFee * 1e8)
+	return &feemodel.SatoshisPerKilobyte{Satoshis: satoshisPerKB}
 }

internal/beef/beef.go

@@ -147,9 +147,9 @@ func decodeTransactionsWithPathIndexes(beefBytes []byte) ([]*TxData, []byte, err
 
 	beefBytes = beefBytes[bytesUsed:]
 
-	transactions := make([]*TxData, 0, int(nTransactions))
+	transactions := make([]*TxData, 0, nTransactions)
 
-	for i := 0; i < int(nTransactions); i++ {
+	for i := uint64(0); i < uint64(nTransactions); i++ {
 		tx, bytesUsed, err := sdkTx.NewTransactionFromStream(beefBytes)
 		if err != nil {
 			return nil, nil, err

internal/blocktx/server.go

@@ -33,13 +33,13 @@ type Server struct {
 	logger                        *slog.Logger
 	pm                            PeerManager
 	store                         store.BlocktxStore
-	maxAllowedBlockHeightMismatch int
+	maxAllowedBlockHeightMismatch uint64
 	processor                     ProcessorI
 	mqClient                      mq.MessageQueueClient
 }
 
 // NewServer will return a server instance with the logger stored within it.
-func NewServer(logger *slog.Logger, store store.BlocktxStore, pm PeerManager, processor ProcessorI, cfg grpc_utils.ServerConfig, maxAllowedBlockHeightMismatch int, mqClient mq.MessageQueueClient) (*Server, error) {
+func NewServer(logger *slog.Logger, store store.BlocktxStore, pm PeerManager, processor ProcessorI, cfg grpc_utils.ServerConfig, maxAllowedBlockHeightMismatch uint64, mqClient mq.MessageQueueClient) (*Server, error) {
 	logger = logger.With(slog.String("module", "server"))
 
 	grpcServer, err := grpc_utils.NewGrpcServer(logger, cfg)

internal/blocktx/store/mocks/blocktx_store_mock.go

@@ -660,7 +660,7 @@ func TestPostgresDB(t *testing.T) {
 				BlockHeight: 822032,
 			},
 		}
-		maxAllowedBlockHeightMismatch := 10
+		maxAllowedBlockHeightMismatch := uint64(10)
 		expectedUnverifiedBlockHeights := []uint64{812011, 822010, 822032}
 
 		// when