[PR #170] [MERGED] audit: fix 7 code quality and security issues #332

New issue

Closed

opened 2026-02-26 21:34:36 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 21:34:36 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/170
Author: @rudrankriyam
Created: 1/25/2026
Status: ✅ Merged
Merged: 1/25/2026
Merged by: @rudrankriyam

Base: main ← Head: audit-fixes-2026-01

📝 Commits (3)

95fbd2e audit: fix 7 code quality and security issues
1788a80 Fix upload client transport clone
d5d803a Merge pull request #171 from rudrankriyam/cursor/upload-client-transport-assertion-e023

📊 Changes

5 files changed (+63 additions, -55 deletions)

View changed files

📝 cmd/shared.go (+1 -1)
📝 internal/asc/client_core.go (+3 -6)
📝 internal/asc/client_http.go (+3 -0)
📝 internal/asc/client_pagination.go (+40 -46)
📝 internal/asc/upload.go (+16 -2)

📄 Description

Summary

Fixes 7 audit issues addressing code quality and security improvements.

Issues Fixed

Issue	Description	Severity
#160	Remove deprecated `rand.Seed` usage (Go 1.20+ auto-seeds)	Critical
#161	Create dedicated HTTP client for uploads with cloned transport	Critical
#162	Add nil check for cfg in resolveAppID to prevent panic	High
#163	Empty path validation already present in config functions	-
#164	Safe type assertions with error handling in pagination	Critical
#165	Add nil check to IsUnauthorized helper	Medium
#167	Reduce JWT token lifetime from 20m to 10m	Low

Changes

client_core.go: Removed deprecated rand.Seed, reduced JWT lifetime to 10m
upload.go: Created dedicated newUploadClient() with cloned transport
shared.go: Added nil check for cfg in resolveAppID()
client_pagination.go: Refactored with reflection for cleaner, safer type assertions
client_http.go: Added nil check to IsUnauthorized()

Testing

All tests pass
Linting passes
Build succeeds

🤖 Generated with Claude Code

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/rudrankriyam/App-Store-Connect-CLI/pull/170 **Author:** [@rudrankriyam](https://github.com/rudrankriyam) **Created:** 1/25/2026 **Status:** ✅ Merged **Merged:** 1/25/2026 **Merged by:** [@rudrankriyam](https://github.com/rudrankriyam) **Base:** `main` ← **Head:** `audit-fixes-2026-01` --- ### 📝 Commits (3) - [`95fbd2e`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/95fbd2ee1009e014a894781c3f61fe9d194abf81) audit: fix 7 code quality and security issues - [`1788a80`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/1788a80f8e38e9af8859a857eec9a19a5a6c51ab) Fix upload client transport clone - [`d5d803a`](https://github.com/rudrankriyam/App-Store-Connect-CLI/commit/d5d803a2bd053f488a0442ea49bca18592e55175) Merge pull request #171 from rudrankriyam/cursor/upload-client-transport-assertion-e023 ### 📊 Changes **5 files changed** (+63 additions, -55 deletions) <details> <summary>View changed files</summary> 📝 `cmd/shared.go` (+1 -1) 📝 `internal/asc/client_core.go` (+3 -6) 📝 `internal/asc/client_http.go` (+3 -0) 📝 `internal/asc/client_pagination.go` (+40 -46) 📝 `internal/asc/upload.go` (+16 -2) </details> ### 📄 Description ## Summary Fixes 7 audit issues addressing code quality and security improvements. ## Issues Fixed | Issue | Description | Severity | |-------|-------------|----------| | #160 | Remove deprecated `rand.Seed` usage (Go 1.20+ auto-seeds) | Critical | | #161 | Create dedicated HTTP client for uploads with cloned transport | Critical | | #162 | Add nil check for cfg in resolveAppID to prevent panic | High | | #163 | Empty path validation already present in config functions | - | | #164 | Safe type assertions with error handling in pagination | Critical | | #165 | Add nil check to IsUnauthorized helper | Medium | | #167 | Reduce JWT token lifetime from 20m to 10m | Low | ## Changes - **client_core.go**: Removed deprecated `rand.Seed`, reduced JWT lifetime to 10m - **upload.go**: Created dedicated `newUploadClient()` with cloned transport - **shared.go**: Added nil check for cfg in `resolveAppID()` - **client_pagination.go**: Refactored with reflection for cleaner, safer type assertions - **client_http.go**: Added nil check to `IsUnauthorized()` ## Testing - All tests pass - Linting passes - Build succeeds 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>