Silence gosec lints

Add one css class escape.

Author: maruel

.github/workflows/test.yml

@@ -152,7 +152,7 @@ jobs:
       run: staticcheck ./...
     - name: 'Check: gosec'
       if: always()
-      run: gosec -exclude=G103,G107,G108,G203,G204,G304,G307 -fmt=golint -quiet ./...
+      run: gosec -fmt=golint -quiet ./...
       # The following checks are not dependent on the OS or go build tags. Only
       # run them on ubuntu-latest since it's the fastest one.
     - name: 'Check: no executable was committed (ubuntu)'

cmd/panic/main.go

@@ -124,6 +124,7 @@ func panicRaceDisabled(name string) {
 func rerunWithFastCrash() {
 	if os.Getenv("GORACE") != "log_path=stderr halt_on_error=1" {
 		_ = os.Setenv("GORACE", "log_path=stderr halt_on_error=1")
+		/* #nosec G204 */
 		c := exec.Command(os.Args[0], os.Args[1:]...)
 		c.Stderr = os.Stderr
 		if err, ok := c.Run().(*exec.ExitError); ok {

cmd/panicweb/internal/internal.go

@@ -18,6 +18,7 @@ var Unblock = make(chan struct{})
 // GetAsync does an HTTP GET to the URL but leaves the actual fetching to a
 // goroutine.
 func GetAsync(url string) {
+	/* #nosec G107 */
 	resp, err := http.Get(url)
 	if err != nil {
 		log.Fatalf("get %s: %v", url, err)

cmd/panicweb/main.go

@@ -19,6 +19,8 @@ import (
 	"log"
 	"net"
 	"net/http"
+
+	/* #nosec G108 */
 	_ "net/http/pprof"
 	"os"
 	"runtime"

internal/internaltest/internaltest.go

@@ -210,6 +210,7 @@ func Compile(in, exe, cwd string, disableInlining, race bool) error {
 	if race {
 		args = append(args, "-race")
 	}
+	/* #nosec G204 */
 	c := exec.Command("go", append(args, in)...)
 	c.Dir = cwd
 	if out, err := c.CombinedOutput(); err != nil {
@@ -231,6 +232,7 @@ func Compile(in, exe, cwd string, disableInlining, race bool) error {
 // It ignores the exit code, since it's meant to run panic, which crashes by
 // design.
 func execRun(cmd ...string) []byte {
+	/* #nosec G204 */
 	c := exec.Command(cmd[0], cmd[1:]...)
 	c.Env = append(os.Environ(), "GOTRACEBACK=all")
 	out, _ := c.CombinedOutput()

internal/main.go

@@ -109,6 +109,7 @@ type toHTMLer interface {
 }
 
 func toHTML(h toHTMLer, p string, needsEnv bool) error {
+	/* #nosec G304 */
 	f, err := os.Create(p)
 	if err != nil {
 		return err
@@ -290,9 +291,11 @@ func Main() error {
 	case 1:
 		// Do not handle SIGQUIT when passed a file to process.
 		name := flag.Arg(0)
+		/* #nosec G304 */
 		if in, err = os.Open(name); err != nil {
 			return fmt.Errorf("did you mean to specify a valid stack dump file name? %w", err)
 		}
+		/* #nosec G307 */
 		defer in.Close()
 
 	default:

internal/main_test.go

@@ -102,6 +102,7 @@ func TestProcessTwoSnapshots(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	// This is a change detector on main.go.
 	want := ("Ya\n" +
 		"GOTRACEBACK=all\n" +
 		"panic: simple\n\n" +
@@ -112,7 +113,7 @@ func TestProcessTwoSnapshots(t *testing.T) {
 		"panic: 42\n\n" +
 		"1: running\n" +
 		"    main main.go:90  panicint(0x2a)\n" +
-		"    main main.go:311 glob..func9()\n" +
+		"    main main.go:312 glob..func9()\n" +
 		"    main main.go:73  main()\n" +
 		"Yo\n")
 	compareString(t, want, out.String())

stack/context.go

@@ -1010,6 +1010,7 @@ func (g *gomodCache) isGoModule(parts []string) (string, string) {
 		if runtime.GOOS == "windows" {
 			p = strings.Replace(p, "/", pathSeparator, -1)
 		}
+		/* #nosec G304 */
 		b, err := ioutil.ReadFile(p)
 		if err != nil {
 			continue
@@ -1198,5 +1199,6 @@ func trimCurlyBrackets(s []byte) (int, []byte, int) {
 //
 // A workaround for the absence of https://github.com/golang/go/issues/2632.
 func unsafeString(b []byte) string {
+	/* #nosec G103 */
 	return *(*string)(unsafe.Pointer(&b))
 }

stack/context_test.go

@@ -1381,6 +1381,7 @@ func TestScanSnapshotSyntheticTwoSnapshots(t *testing.T) {
 	if !s.guessPaths() {
 		t.Error("expected success")
 	}
+	// This is a change detector on internal/main.go.
 	want = []*Goroutine{
 		{
 			Signature: Signature{
@@ -1397,7 +1398,7 @@ func TestScanSnapshotSyntheticTwoSnapshots(t *testing.T) {
 							"main.glob..func9",
 							Args{},
 							pathJoin(ppDir, "main.go"),
-							311,
+							312,
 						),
 						newCallLocal(
 							"main.main",
@@ -2350,7 +2351,8 @@ func identifyPanicwebSignature(t *testing.T, b *Bucket, pwebDir string) panicweb
 			if !b.Signature.Locked {
 				t.Fatal("expected Locked")
 			}
-			want := Stack{Calls: []Call{newCallLocal("main.main", Args{}, pathJoin(pwebDir, "main.go"), 139)}}
+			// This is a change detector on internal/main.go.
+			want := Stack{Calls: []Call{newCallLocal("main.main", Args{}, pathJoin(pwebDir, "main.go"), 141)}}
 			compareStacks(t, &b.Signature.CreatedBy, &want)
 			for i := range b.Signature.Stack.Calls {
 				if strings.HasPrefix(b.Signature.Stack.Calls[i].ImportPath, "github.com/mattn/go-colorable") {

stack/html.go

@@ -72,7 +72,8 @@ func funcClass(c *Call) template.HTML {
 	if c.Func.IsExported {
 		s += " Exported"
 	}
-	return template.HTML("Func" + s)
+	/* #nosec G203 */
+	return template.HTML("Func") + template.HTML(template.HTMLEscapeString(s))
 }
 
 func minus(i, j int) int {
@@ -107,23 +108,24 @@ func pkgURL(c *Call) template.URL {
 		}
 	}
 	if c.Func.IsExported {
-		return template.URL(url + ip + "#" + symbol(&c.Func))
+		return url + ip + template.URL("#") + symbol(&c.Func)
 	}
-	return template.URL(url + ip)
+	return url + ip
 }
 
 // srcURL returns an URL to the sources.
 //
 // TODO(maruel): Support custom local godoc server as it serves files too.
 func srcURL(c *Call) template.URL {
 	url, _ := getSrcBranchURL(c)
-	return template.URL(url)
+	return url
 }
 
 func escape(s string) template.URL {
 	// That's the only way I found to get the kind of escaping I wanted, where
 	// '/' is not escaped.
 	u := url.URL{Path: s}
+	/* #nosec G203 */
 	return template.URL(u.EscapedPath())
 }
 
@@ -140,6 +142,7 @@ func getSrcBranchURL(c *Call) (template.URL, template.URL) {
 			ver = ver[len(devel) : len(devel)+10]
 		}
 		tag = url.QueryEscape(ver)
+		/* #nosec G203 */
 		return template.URL(fmt.Sprintf("https://github.com/golang/go/blob/%s/src/%s#L%d", tag, escape(c.RelSrcPath), c.Line)), template.URL(tag)
 	}
 	// TODO(maruel): Leverage Location.
@@ -156,6 +159,7 @@ func getSrcBranchURL(c *Call) (template.URL, template.URL) {
 			if parts := strings.SplitN(rest, "/", 3); len(parts) == 3 {
 				p, srcTag, tag := splitTag(parts[1])
 				url := fmt.Sprintf("https://github.com/%s/%s/blob/%s/%s#L%d", escape(parts[0]), p, srcTag, escape(parts[2]), c.Line)
+				/* #nosec G203 */
 				return template.URL(url), tag
 			}
 			log.Printf("problematic github.com URL: %q", rel)
@@ -168,6 +172,7 @@ func getSrcBranchURL(c *Call) (template.URL, template.URL) {
 				// The source of truth is are actually go.googlesource.com, but
 				// github.com has nicer syntax highlighting.
 				url := fmt.Sprintf("https://github.com/golang/%s/blob/%s/%s#L%d", p, srcTag, escape(parts[2]), c.Line)
+				/* #nosec G203 */
 				return template.URL(url), tag
 			}
 			log.Printf("problematic golang.org URL: %q", rel)
@@ -185,9 +190,11 @@ func getSrcBranchURL(c *Call) (template.URL, template.URL) {
 	}
 
 	if c.LocalSrcPath != "" {
+		/* #nosec G203 */
 		return template.URL("file:///" + escape(c.LocalSrcPath)), template.URL(tag)
 	}
 	if c.RemoteSrcPath != "" {
+		/* #nosec G203 */
 		return template.URL("file:///" + escape(c.RemoteSrcPath)), template.URL(tag)
 	}
 	return "", ""
@@ -219,6 +226,7 @@ func splitTag(s string) (string, string, template.URL) {
 	if m := reVersion.FindStringSubmatch(tag); len(m) != 0 {
 		srcTag = m[1]
 	}
+	/* #nosec G203 */
 	return s[:i], url.QueryEscape(srcTag), template.URL(url.QueryEscape(tag))
 }
 
@@ -233,5 +241,6 @@ func symbol(f *Func) template.URL {
 		// Transform the method form.
 		s = reMethodSymbol.ReplaceAllString(s, "$1$2")
 	}
+	/* #nosec G203 */
 	return template.URL(url.QueryEscape(s))
 }