fix: resolve gosec findings G112 and G602

G112 (Slowloris): add ReadHeaderTimeout: 10s to http.Server G602 (slice bounds): use explicit bounds-safe index for backoff slice (attempt is guarded but gosec can't prove it statically) Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-04-05 23:03:47 +02:00 · 2026-04-05 23:03:47 +02:00 · 6db500235b
commit 6db500235b
parent 5f7dd7462d
2 changed files with 8 additions and 3 deletions
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@ -63,8 +63,9 @@ func run() error {
 	r.Post("/api/ghl/v1/webhook/uninstall", webhookHandler.HandleUninstall)

 	srv := &http.Server{
-		Addr:    ":" + cfg.Port,
-		Handler: r,
+		Addr:              ":" + cfg.Port,
+		Handler:           r,
+		ReadHeaderTimeout: 10 * time.Second,
 	}

 	go func() {
--- a/internal/cast/client.go
+++ b/internal/cast/client.go
@ -53,7 +53,11 @@ func (c *Client) SendSMS(ctx context.Context, to, message string) (*SendResponse
 			if attempt == maxRetries {
 				return nil, &CastAPIError{StatusCode: resp.StatusCode, APIError: "rate limited, max retries exceeded"}
 			}
-			wait := backoff[attempt]
+			idx := attempt
+			if idx >= len(backoff) {
+				idx = len(backoff) - 1
+			}
+			wait := backoff[idx]
 			if ra := resp.Header.Get("Retry-After"); ra != "" {
 				if secs, err := strconv.ParseFloat(ra, 64); err == nil {
 					wait = time.Duration(secs * float64(time.Second))