backport: fix issues reported by go-sec (#11)

cmd/createUnbondingTxCmd.go

@@ -23,8 +23,9 @@ var (
 
 	FlagStakerWalletAddressHost = "staker-wallet-address-host"
 	FlagStakerWalletRpcUser     = "staker-wallet-rpc-user"
-	FlagStakerWalletRpcPass     = "staker-wallet-rpc-pass"
-	FlagWalletPassphrase        = "staker-wallet-passphrase"
+	//#nosec G101 - false positive
+	FlagStakerWalletRpcPass = "staker-wallet-rpc-pass"
+	FlagWalletPassphrase    = "staker-wallet-passphrase"
 )
 
 func init() {

cmd/timestampFileCmd.go

@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 
 	"github.com/btcsuite/btcd/btcutil"
 	"github.com/btcsuite/btcd/chaincfg"
@@ -119,6 +120,9 @@ func CreateTimestampTx(
 	}
 	fundingTxHash := fundingTx.TxHash()
 	fundingInput := wire.NewTxIn(
+		//#nosec G115 - in theory this function can be called with bogus transactions
+		// with more than math.MaxUint32 outputs, but in practic caller would be shoting
+		// himself in the foot.
 		wire.NewOutPoint(&fundingTxHash, uint32(fundingOutputIdx)),
 		nil,
 		nil,
@@ -151,7 +155,9 @@ func CreateTimestampTx(
 }
 
 func txOutTimestampFile(filePath string) (txOut *wire.TxOut, fileHash []byte, err error) {
-	fileHash, err = hashFromFile(filePath)
+	fileHash, err = hashFromFile(
+		filepath.Clean(filePath),
+	)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to generate hash from file %s: %w", filePath, err)
 	}
@@ -167,7 +173,9 @@ func txOutTimestampFile(filePath string) (txOut *wire.TxOut, fileHash []byte, er
 func hashFromFile(filePath string) ([]byte, error) {
 	h := sha256.New()
 
-	f, err := os.Open(filePath)
+	f, err := os.Open(
+		filepath.Clean(filePath),
+	)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open the file %s: %w", filePath, err)
 	}

go.mod

@@ -6,7 +6,7 @@ toolchain go1.22.4
 
 require (
 	github.com/babylonlabs-io/babylon v0.9.0
-	github.com/babylonlabs-io/covenant-signer v0.2.9
+	github.com/babylonlabs-io/covenant-signer v0.2.11
 	github.com/babylonlabs-io/networks/parameters v0.2.2
 	github.com/btcsuite/btcd v0.24.2
 	github.com/btcsuite/btcd/btcec/v2 v2.3.2

go.sum

@@ -279,8 +279,8 @@ github.com/aws/aws-sdk-go v1.44.312/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/babylonlabs-io/babylon v0.9.0 h1:dHZ9wUrI5XLaO4UIwJRgiCdnzFdi5yv7dpibbu6TDv0=
 github.com/babylonlabs-io/babylon v0.9.0/go.mod h1:t7B4e+ooD2oYvAxkegtNKDL9bXe+vU29a8xnCQh+UKo=
-github.com/babylonlabs-io/covenant-signer v0.2.9 h1:3euelxnA7OYCDWSPsczTiTCjKulJBRnIfU3kNqYX6VE=
-github.com/babylonlabs-io/covenant-signer v0.2.9/go.mod h1:ju9+U2wtIhklSOwTxp+3NA+S/sC4gak9+DeyK9qQi80=
+github.com/babylonlabs-io/covenant-signer v0.2.11 h1:lQiT5TR2ob0Sky99URhpqrfqImJw14gP63ASd2UJwaE=
+github.com/babylonlabs-io/covenant-signer v0.2.11/go.mod h1:ju9+U2wtIhklSOwTxp+3NA+S/sC4gak9+DeyK9qQi80=
 github.com/babylonlabs-io/networks/parameters v0.2.2 h1:TCu39fZvjX5f6ZZrjhYe54M6wWxglNewuKu56yE+zrc=
 github.com/babylonlabs-io/networks/parameters v0.2.2/go.mod h1:iEJVOzaLsE33vpP7J4u+CRGfkSIfErUAwRmgCFCBpyI=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=

internal/config/config.go

@@ -11,6 +11,10 @@ import (
 	"github.com/spf13/viper"
 )
 
+const (
+	folderPermissions = 0750
+)
+
 type Config struct {
 	Db      DbConfig           `mapstructure:"db-config"`
 	Btc     BtcConfig          `mapstructure:"btc-config"`
@@ -104,7 +108,7 @@ func WriteConfigToFile(pathToConfFile string, conf *Config) error {
 	dirPath, _ := filepath.Split(pathToConfFile)
 
 	if _, err := os.Stat(pathToConfFile); os.IsNotExist(err) {
-		if err := os.MkdirAll(dirPath, os.ModePerm); err != nil {
+		if err := os.MkdirAll(dirPath, folderPermissions); err != nil {
 			return fmt.Errorf("couldn't make config: %v", err)
 		}
 

internal/services/persistent_store.go

@@ -121,7 +121,11 @@ func documentToData(d *model.UnbondingDocument) (*UnbondingTxData, error) {
 	}
 
 	// TODO: Check if there are better types at mongo level
+	//#nosec G115 - safe conversion, data is coming from the database and
+	// data in db is always validated
 	stakingValue := btcutil.Amount(int64(d.StakingAmount))
+	//#nosec G115 - safe conversion, data is coming from the database and
+	// data in db is always validated
 	stakingTime := uint16(d.StakingTimelock)
 
 	si := &StakingInfo{
@@ -183,6 +187,7 @@ func (s *PersistentUnbondingStorage) AddTxWithSignature(
 		stakingtTxData.StakingOutputIdx,
 		stakingTxHashHex,
 		uint64(info.StakingTimelock),
+		//#nosec G115 - safe conversion, staking amoutn will always be positive
 		uint64(info.StakingAmount),
 	)
 

internal/services/unbonding_pipeline.go

@@ -409,6 +409,7 @@ func (up *UnbondingPipeline) processUnbondingTransactions(
 		utx.UnbondingTransaction.TxIn[0].Witness = witness
 
 		// TODO do we need to check the mempool?
+		//#nosec G115 - data is coming from the database, so this is valid staking transaction
 		spendable, err := up.sender.CheckTxOutSpendable(&stakingTxHash, uint32(utx.StakingTransactionData.StakingOutputIdx), true)
 		if err != nil {
 			up.logger.Error("Failed to check whether the staking output is spendable", "error", err)