Multiple code quality and security issues found #22
Description
Summary
While reviewing the codebase, I found several issues that should be addressed:
Issues Found
1. Critical: Format String Security Vulnerabilities
File: blast.go (lines 241, 248), requester/report.go (line 120)
Issue: Non-constant format strings passed to fmt.Fprintf can cause security vulnerabilities
Impact: Fails to compile with modern Go security checks
// Current (vulnerable)
fmt.Fprintf(os.Stderr, msg)
// Should be
fmt.Fprint(os.Stderr, msg)2. Bug: Division by Zero Panic
File: requester/report.go - finalize() method
Issue: When all requests fail, len(r.lats) is 0, causing panic
Impact: Application crashes instead of graceful error handling
// Current (will panic)
r.average = r.avgTotal / float64(len(r.lats))
// Should check
if len(r.lats) > 0 {
r.average = r.avgTotal / float64(len(r.lats))
}3. Enhancement: Deprecated io/ioutil Package
Issue: Using deprecated io/ioutil (deprecated since Go 1.16)
Should use: io and os packages directly
// Old
ioutil.ReadFile()
// New
os.ReadFile()4. Code Quality: Redundant fmt.Sprintf
File: blast.go
Issue: fmt.Fprint(os.Stderr, fmt.Sprintf(...)) is redundant
Should be: fmt.Fprintf(os.Stderr, ...)
Proposed Solution
I'd like to contribute fixes for these issues. Would you prefer:
- Option A: One comprehensive PR addressing all issues
- Option B: Separate PRs for each category (security, bugs, deprecations)
- Option C: Just the critical/high-priority fixes
I can provide test cases and detailed documentation for each fix.
Environment
- Go version: 1.25.4
- OS: Arch Linux
- Detection: Built-in
go vetand compiler errors - No external linters installed
Let me know your preference and I'll prepare the PR(s) accordingly!