fix: Add bounds checks and lint fixes for TOTP code

arimxyer · claude · arimxyer · commit 43e3be1b1fb7 · 2025-12-26T14:55:33.000-05:00
- Add bounds check for key.Period() conversion (max 300 seconds)
- Add bounds check for cred.TOTPPeriod before conversion
- Fix errcheck: properly ignore resp.Body.Close() error
- Fix staticcheck: refactor base32 validation for clarity
- Addresses CodeQL security warnings for uint64-&gt;int conversions

Generated with Claude Code

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
diff --git a/internal/vault/totp.go b/internal/vault/totp.go
@@ -45,7 +45,7 @@ func CheckTimeSync() TimeSyncResult {
 		result.Error = err
 		return result
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	result.Checked = true
 
@@ -142,11 +142,17 @@ func ParseTOTPURI(uri string) (*TOTPConfig, error) {
 		return nil, fmt.Errorf("unsupported OTP type: %s (only totp is supported)", key.Type())
 	}
 
+	// Safely convert period with bounds check (TOTP periods are typically 30s)
+	keyPeriod := key.Period()
+	if keyPeriod > 300 { // Max 5 minutes, reasonable upper bound
+		keyPeriod = 30 // Default to standard period
+	}
+
 	config := &TOTPConfig{
 		Secret:  key.Secret(),
 		Issuer:  key.Issuer(),
 		Account: key.AccountName(),
-		Period:  int(key.Period()),
+		Period:  int(keyPeriod), //nolint:gosec // bounds checked above
 		Digits:  key.Digits().Length(),
 	}
 
@@ -180,9 +186,12 @@ func ValidateTOTPSecret(secret string) error {
 		return fmt.Errorf("TOTP secret cannot be empty")
 	}
 
-	// Check for valid base32 characters (A-Z, 2-7)
+	// Check for valid base32 characters (A-Z, 2-7, =)
 	for _, c := range secret {
-		if !((c >= 'A' && c <= 'Z') || (c >= '2' && c <= '7') || c == '=') {
+		isUpperAlpha := c >= 'A' && c <= 'Z'
+		isValidDigit := c >= '2' && c <= '7'
+		isPadding := c == '='
+		if !isUpperAlpha && !isValidDigit && !isPadding {
 			return fmt.Errorf("invalid base32 character in TOTP secret: %c", c)
 		}
 	}
@@ -218,9 +227,9 @@ func GenerateTOTPCode(cred *Credential) (string, int, error) {
 		digits = otp.DigitsEight
 	}
 
-	// Determine period
+	// Determine period with bounds check (TOTP periods are typically 30s, max 5 min)
 	period := uint(30)
-	if cred.TOTPPeriod > 0 {
+	if cred.TOTPPeriod > 0 && cred.TOTPPeriod <= 300 {
 		period = uint(cred.TOTPPeriod)
 	}
 
@@ -235,9 +244,10 @@ func GenerateTOTPCode(cred *Credential) (string, int, error) {
 		return "", 0, fmt.Errorf("failed to generate TOTP code: %w", err)
 	}
 
-	// Calculate remaining validity
+	// Calculate remaining validity (period is bounds-checked above, safe to convert)
 	epoch := now.Unix()
-	remaining := int(period) - int(epoch%int64(period))
+	periodInt := int(period) //nolint:gosec // bounds checked above (max 300)
+	remaining := periodInt - int(epoch%int64(periodInt))
 
 	return code, remaining, nil
 }
