refactor: drop redundant filepath.Clean around filepath.Join#3279
Merged
wen-coding merged 2 commits intomainfrom Apr 22, 2026
Merged
refactor: drop redundant filepath.Clean around filepath.Join#3279wen-coding merged 2 commits intomainfrom
wen-coding merged 2 commits intomainfrom
Conversation
filepath.Join already invokes filepath.Clean on its result, so wrapping it again is a no-op. Addresses post-merge review feedback on #3220. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3279 +/- ##
=======================================
Coverage 59.35% 59.35%
=======================================
Files 2072 2072
Lines 169922 169922
=======================================
+ Hits 100855 100857 +2
+ Misses 60279 60278 -1
+ Partials 8788 8787 -1
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
gosec G304 ("potential file inclusion via variable") fires whenever
os.ReadFile is called with a non-literal argument and only quiets down
when it sees an explicit filepath.Clean wrap. But filepath.Join already
calls Clean on its result (per path/filepath docs), and Clean itself
does not prevent traversal — filepath.Clean("../../etc/passwd") returns
"../../etc/passwd" unchanged. The wrap was appeasing the heuristic, not
adding a security boundary.
This is a CLI command (tendermint gen-autobahn-config) where dir comes
from positional args supplied by the operator running the binary. There
is no untrusted-input path, so G304 is a false positive. Annotate with
//nolint:gosec instead of re-introducing redundant Clean calls.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
pompon0
approved these changes
Apr 22, 2026
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
filepath.Joinalready callsfilepath.Cleanon its result, so wrapping the join with an extrafilepath.Cleanis a no-op.sei-tendermint/privval/file.go,sei-tendermint/types/node_key.go, andsei-tendermint/cmd/tendermint/commands/gen_autobahn_config.go.Test plan
gofmt -s -lclean on changed filesgo vet ./privval/... ./types/... ./cmd/tendermint/commands/...passes🤖 Generated with Claude Code