fix: address security and quality issues from code review#2
Open
Dnamb wants to merge 1 commit into
Open
Conversation
- Remove plaintext refresh token debug file (credential leak) - Add context.Context propagation to API HTTP requests - Drain HTTP response bodies for connection reuse - Fix nil dereference in update binary size check - Add fsync in copyFile during self-update - Fix race condition on apiClient with mutex guard - Restrict config file permissions to 0600 - Replace random percentage fallback with deterministic zero - Remove unused FileExists from stats/parser - Initialize credOrigin default in App constructor - Update golang.org/x/sys v0.15.0 -> v0.42.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
NEW_REFRESH_TOKEN_WARNING.txt) that leaked OAuth credentials to disk with world-readable permissionsfsyncincopyFileduring self-update to prevent corruption on power lossapiClientfield accessed from multiple goroutines without synchronization0644to0600context.Contextpropagation to all API HTTP requestsgolang.org/x/sysfrom v0.15.0 to v0.42.0FileExistsfunctioncredOrigindefault in App constructorTest plan
go build ./...passesgo test -v ./...— all 4 tests passgo vet ./...cleanNEW_REFRESH_TOKEN_WARNING.txtcreated🤖 Generated with Claude Code