chore(lint): bump golangci-lint to v2.11.1 (#7905)

- Added nolint to plugin/auto/walk.go to avoid a symlink/TOCTOU warning, as it needs to follow symlink. - Replaced a few flagged integer conversions with safe equivalents in cache hashing, reuseport socket setup, and TLS arg handling - Preallocated response rule slices in plugin/rewrite/name.go - Replaced WriteString(fmt.Sprintf/Sprintln(...)) with direct fmt.Fprint* calls - Removed stale nolint directives from code and tests that are no longer needed Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
2026-03-11 08:13:12 -04:00 · 2026-03-06 21:50:24 +02:00
parent ab04d3c0ca
commit 90a9739478
12 changed files with 41 additions and 23 deletions
--- a/plugin/auto/walk.go
+++ b/plugin/auto/walk.go
@@ -39,7 +39,7 @@ func (a Auto) Walk() error {
 			return nil
 		}

-		reader, err := os.Open(filepath.Clean(path))
+		reader, err := os.Open(filepath.Clean(path)) //nolint:gosec // G122: path is from filepath.Walk rooted in a.directory; symlinks must be followed for configmap-style mounts
 		if err != nil {
 			log.Warningf("Opening %s failed: %s", path, err)
 			return nil
--- a/plugin/cache/cache.go
+++ b/plugin/cache/cache.go
@@ -2,6 +2,7 @@
 package cache

 import (
+	"encoding/binary"
 	"hash/fnv"
 	"net"
 	"time"
@@ -110,8 +111,9 @@ func hash(qname string, qtype uint16, do, cd bool) uint64 {
 		h.Write(zero)
 	}

-	h.Write([]byte{byte(qtype >> 8)})
-	h.Write([]byte{byte(qtype)})
+	var qtypeBytes [2]byte
+	binary.BigEndian.PutUint16(qtypeBytes[:], qtype)
+	h.Write(qtypeBytes[:])
 	h.Write([]byte(qname))
 	return h.Sum64()
 }
--- a/plugin/file/file.go
+++ b/plugin/file/file.go
@@ -156,7 +156,6 @@ func Parse(f io.Reader, origin, fileName string, serial int64) (*Zone, error) {

 				// -1 is valid serial is we failed to load the file on startup.

-				//nolint:gosec
 				if serial >= 0 && s.Serial == uint32(serial) { // #nosec G115 -- serial is validated non-negative, fits in uint32
 					return nil, &serialErr{err: "no change in SOA serial", origin: origin, zone: fileName, serial: serial}
 				}
--- a/plugin/k8s_external/transfer_test.go
+++ b/plugin/k8s_external/transfer_test.go
@@ -38,7 +38,7 @@ func TestTransferAXFR(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Unexpected error: %v", err)
 	}
-	var records []dns.RR //nolint:prealloc // records are read from a channel
+	var records []dns.RR
 	for rrs := range ch {
 		records = append(records, rrs...)
 	}
@@ -104,7 +104,7 @@ func TestTransferIXFR(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Unexpected error: %v", err)
 	}
-	var records []dns.RR //nolint:prealloc // records are read from a channel
+	var records []dns.RR
 	for rrs := range ch {
 		records = append(records, rrs...)
 	}
--- a/plugin/kubernetes/xfr_test.go
+++ b/plugin/kubernetes/xfr_test.go
@@ -88,7 +88,7 @@ func TestKubernetesIXFRCurrent(t *testing.T) {
 		t.Error(err)
 	}

-	var gotRRs []dns.RR //nolint:prealloc // records are read from a channel
+	var gotRRs []dns.RR
 	for rrs := range ch {
 		gotRRs = append(gotRRs, rrs...)
 	}
--- a/plugin/pkg/reuseport/listen_reuseport.go
+++ b/plugin/pkg/reuseport/listen_reuseport.go
@@ -14,7 +14,13 @@ import (

 func control(network, address string, c syscall.RawConn) error {
 	c.Control(func(fd uintptr) {
-		if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1); err != nil {
+		const maxInt = int(^uint(0) >> 1)
+		if fd > uintptr(maxInt) {
+			log.Warningf("Failed to set SO_REUSEPORT on socket: invalid file descriptor %d", fd)
+			return
+		}
+
+		if err := unix.SetsockoptInt(int(fd), unix.SOL_SOCKET, unix.SO_REUSEPORT, 1); err != nil { // #nosec G115 -- fd is range-checked above
 			log.Warningf("Failed to set SO_REUSEPORT on socket: %s", err)
 		}
 	})
--- a/plugin/pkg/tls/tls.go
+++ b/plugin/pkg/tls/tls.go
@@ -59,19 +59,29 @@ func setTLSDefaults(ctls *tls.Config) {
 func NewTLSConfigFromArgs(args ...string) (*tls.Config, error) {
 	var err error
 	var c *tls.Config
+	var certPath, keyPath, caPath string
+	if len(args) > 0 {
+		certPath = args[0]
+	}
+	if len(args) > 1 {
+		keyPath = args[1]
+	}
+	if len(args) > 2 {
+		caPath = args[2]
+	}
 	switch len(args) {
 	case 0:
 		// No client cert, use system CA
 		c, err = NewTLSClientConfig("")
 	case 1:
 		// No client cert, use specified CA
-		c, err = NewTLSClientConfig(args[0])
+		c, err = NewTLSClientConfig(certPath)
 	case 2:
 		// Client cert, use system CA
-		c, err = NewTLSConfig(args[0], args[1], "")
+		c, err = NewTLSConfig(certPath, keyPath, "")
 	case 3:
 		// Client cert, use specified CA
-		c, err = NewTLSConfig(args[0], args[1], args[2])
+		c, err = NewTLSConfig(certPath, keyPath, caPath)
 	default:
 		err = fmt.Errorf("maximum of three arguments allowed for TLS config, found %d", len(args))
 	}
--- a/plugin/rewrite/name.go
+++ b/plugin/rewrite/name.go
@@ -161,10 +161,11 @@ func (rule *nameRuleBase) responseRuleFor(state request.Request) (ResponseRules,
 	}

 	rewriter := newRemapStringRewriter(state.Req.Question[0].Name, state.Name())
-	rules := ResponseRules{
+	rules := make(ResponseRules, 0, 2+len(rule.static))
+	rules = append(rules,
 		&nameRewriterResponseRule{rewriter},
 		&valueRewriterResponseRule{rewriter},
-	}
+	)
 	return append(rules, rule.static...), RewriteDone
 }

@@ -221,15 +222,16 @@ type suffixNameRule struct {
 }

 func newSuffixNameRule(nextAction string, auto bool, suffix, replacement string, answers ResponseRules) Rule {
-	var rules ResponseRules
+	rules := make(ResponseRules, 0, len(answers))
 	if auto {
 		// for a suffix rewriter better standard response rewrites can be done
 		// just by using the original suffix/replacement in the opposite order
 		rewriter := newSuffixStringRewriter(replacement, suffix)
-		rules = ResponseRules{
+		rules = make(ResponseRules, 0, 2+len(answers))
+		rules = append(rules,
 			&nameRewriterResponseRule{rewriter},
 			&valueRewriterResponseRule{rewriter},
-		}
+		)
 	}
 	return &suffixNameRule{
 		newNameRuleBase(nextAction, false, replacement, append(rules, answers...)),