Tags: jhinrichsen/firefox-password-merger
Tags
docs: document static linking and runtime attack surface Added security details: - Binary is statically linked (CGO_ENABLED=0) - No shared library dependencies (no libc, LD_PRELOAD, /usr/lib vectors) - Only runtime external dependency is 'git' binary - Git is the sole external attack vector at runtime - All git inputs validated (commit hashes, fixed arguments) Verified with: ldd ./fpm Output: "not a dynamic executable", "statically linked" This eliminates entire classes of local shared library attacks that dynamically linked binaries are vulnerable to. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
refactor: fix linting errors and improve error handling
- Fix errcheck violations by properly handling strconv.ParseInt errors
- credential.go: fail fast on malformed timestamps in user CSV files
- git.go: skip corrupted rows in historical git data
- Fix unparam warnings by removing unused error return from Merge()
- Fix gosec G204 by adding commit hash validation (^[a-f0-9]{7,40}$)
- Add comprehensive tests for timestamp parsing and hash validation
- Document git implementation choice (external cmd vs go-git library)
All linting errors resolved. Error messages now include line numbers
and invalid values for better debugging.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <[email protected]>