fix all gosec lint errors (#844)

d2common/d2math/d2vector/position_test.go

@@ -7,7 +7,9 @@ import (
 )
 
 func TestNewPosition(t *testing.T) {
-	x, y := rand.Intn(1000), rand.Intn(1000)
+	const maxXY = 1000
+
+	x, y := rand.Intn(maxXY), rand.Intn(maxXY) // nolint:gosec // just a test
 	locX, locY := float64(x), float64(y)
 	pos := NewPosition(locX, locY)
 

d2core/d2audio/sound_engine.go

@@ -200,7 +200,9 @@ func (s *SoundEngine) PlaySoundID(id int) *Sound {
 	entry := s.asset.Records.SelectSoundByIndex(id)
 
 	if entry.GroupSize > 0 {
-		entry = s.asset.Records.SelectSoundByIndex(entry.Index + rand.Intn(entry.GroupSize))
+		// nolint:gosec // this is client-only, no big deal if rand index isn't securely generated
+		indexOffset := rand.Intn(entry.GroupSize)
+		entry = s.asset.Records.SelectSoundByIndex(entry.Index + indexOffset)
 	}
 
 	effect, err := s.provider.LoadSound(entry.FileName, entry.Loop, entry.MusicVol)

d2core/d2audio/sound_environment.go

@@ -61,6 +61,7 @@ func (s *SoundEnvironment) Advance(elapsed float64) {
 
 		snd := s.engine.PlaySoundID(s.environment.DayEvent)
 		if snd != nil {
+			// nolint:gosec // client-side, no big deal if rand number isn't securely generated
 			pan := (rand.Float64() * 2) - 1
 			snd.SetPan(pan)
 		}

d2core/d2hero/hero_state_factory.go

@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path"
+	"path/filepath"
 	"strconv"
 	"strings"
 
@@ -16,6 +17,11 @@ import (
 	"github.com/OpenDiablo2/OpenDiablo2/d2core/d2asset"
 )
 
+const (
+	mkdirPermission     = 0750
+	writefilePermission = 0600
+)
+
 // NewHeroStateFactory creates a new HeroStateFactory and initializes it.
 func NewHeroStateFactory(asset *d2asset.AssetManager) (*HeroStateFactory, error) {
 	inventoryItemFactory, err := d2inventory.NewInventoryItemFactory(asset)
@@ -180,7 +186,7 @@ func (f *HeroStateFactory) CreateTestGameState() *HeroState {
 
 // LoadHeroState loads the player state from the file
 func (f *HeroStateFactory) LoadHeroState(filePath string) *HeroState {
-	strData, err := ioutil.ReadFile(filePath)
+	strData, err := ioutil.ReadFile(filepath.Clean(filePath))
 	if err != nil {
 		return nil
 	}
@@ -239,12 +245,12 @@ func (f *HeroStateFactory) Save(state *HeroState) error {
 	if state.FilePath == "" {
 		state.FilePath = f.getFirstFreeFileName()
 	}
-	if err := os.MkdirAll(path.Dir(state.FilePath), 0755); err != nil {
+	if err := os.MkdirAll(path.Dir(state.FilePath), mkdirPermission); err != nil {
 		return err
 	}
 
 	fileJSON, _ := json.MarshalIndent(state, "", "   ")
-	if err := ioutil.WriteFile(state.FilePath, fileJSON, 0644); err != nil {
+	if err := ioutil.WriteFile(state.FilePath, fileJSON, writefilePermission); err != nil {
 		return err
 	}
 

d2core/d2item/diablo2item/item.go

@@ -387,6 +387,7 @@ func (i *Item) pickRandomAffixes(max, totalMax int,
 // SetSeed sets the item generator seed
 func (i *Item) SetSeed(seed int64) {
 	if i.rand == nil {
+		// nolint:gosec // not concerned with crypto-strong randomness
 		i.rand = rand.New(rand.NewSource(seed))
 	}
 

d2core/d2item/diablo2item/item_factory.go

@@ -73,8 +73,8 @@ type ItemFactory struct {
 // SetSeed sets the item generator seed
 func (f *ItemFactory) SetSeed(seed int64) {
 	if f.rand == nil || f.source == nil {
-		f.source = rand.NewSource(seed)
+		// nolint:gosec // we're not concerned with crypto-strong randomness
-		f.rand = rand.New(f.source)
+		f.rand = rand.New(rand.NewSource(seed))
 	}
 
 	f.Seed = seed
@@ -300,6 +300,7 @@ func (f *ItemFactory) ItemsFromTreasureClass(tcr *d2records.TreasureClassRecord)
 // ItemFromTreasure rolls for a f.rand.m item using the Treasure struct (from d2datadict)
 func (f *ItemFactory) ItemFromTreasure(treasure *d2records.Treasure) *Item {
 	result := &Item{
+		// nolint:gosec // we're not concerned with crypto-strong randomness
 		rand: rand.New(rand.NewSource(f.Seed)),
 	}
 

d2core/d2item/diablo2item/item_property.go

@@ -188,6 +188,7 @@ func (p *Property) fnValuesToStat(iscRecord *d2records.ItemStatCostRecord) d2sta
 		min, max = max, min
 	}
 
+	// nolint:gosec // not concerned with crypto-strong randomness
 	statValue = float64(rand.Intn(max-min+1) + min)
 
 	return p.factory.stat.NewStat(iscRecord.Name, statValue, propParam)
@@ -204,6 +205,7 @@ func (p *Property) fnComputeInteger() int {
 		min, max = p.inputParams[0], p.inputParams[1]
 	}
 
+	// nolint:gosec // not concerned with crypto-strong randomness
 	statValue := rand.Intn(max-min+1) + min
 
 	return statValue
@@ -243,6 +245,8 @@ func (p *Property) fnClassSkillTab(iscRecord *d2records.ItemStatCostRecord) d2st
 	param, min, max := p.inputParams[0], p.inputParams[1], p.inputParams[2]
 	skillTabIdx := float64(param % skillTabsPerClass)
 	classIdx := float64(param / skillTabsPerClass)
+
+	// nolint:gosec // not concerned with crypto-strong randomness
 	level := float64(rand.Intn(max-min+1) + min)
 
 	return p.factory.stat.NewStat(iscRecord.Name, level, classIdx, skillTabIdx)
@@ -276,6 +280,7 @@ func (p *Property) fnRandomSkill(iscRecord *d2records.ItemStatCostRecord) d2stat
 	default:
 		skillLevel = float64(p.inputParams[0])
 		min, max := p.inputParams[1], p.inputParams[2]
+		// nolint:gosec // not concerned with crypto-strong randomness
 		skillID = float64(rand.Intn(max-min+1) + min)
 	}
 
@@ -320,6 +325,7 @@ func (p *Property) fnBoolean() bool {
 		min, max = p.inputParams[0], p.inputParams[1]
 	}
 
+	// nolint:gosec // not concerned with crypto-strong randomness
 	statValue := rand.Intn(max-min+1) + min
 
 	return statValue > 0
@@ -346,6 +352,7 @@ func (p *Property) fnClassSkills(
 		min, max = p.inputParams[0], p.inputParams[1]
 	}
 
+	// nolint:gosec // not concerned with crypto-strong randomness
 	statValue := rand.Intn(max-min+1) + min
 	classIdx = propStatRecord.Value
 
@@ -353,12 +360,12 @@ func (p *Property) fnClassSkills(
 }
 
 // fnStateApplyToTarget property applied to character or target monster ???
-func (p *Property) fnStateApplyToTarget(iscRecord *d2records.ItemStatCostRecord) d2stats.Stat {
+func (p *Property) fnStateApplyToTarget(_ *d2records.ItemStatCostRecord) d2stats.Stat {
 	// https://github.com/OpenDiablo2/OpenDiablo2/issues/818
 	return nil
 }
 
 // fnRandClassSkill property applied to character or target monster ???
-func (p *Property) fnRandClassSkill(iscRecord *d2records.ItemStatCostRecord) d2stats.Stat {
+func (p *Property) fnRandClassSkill(_ *d2records.ItemStatCostRecord) d2stats.Stat {
 	return nil
 }

d2core/d2map/d2mapentity/npc.go

@@ -38,6 +38,7 @@ const (
 
 func selectEquip(slice []string) string {
 	if len(slice) != 0 {
+		// nolint:gosec // not concerned with crypto-strong randomness
 		return slice[rand.Intn(len(slice))]
 	}
 
@@ -120,6 +121,8 @@ func (v *NPC) next() {
 	var newAnimationMode d2enum.MonsterAnimationMode
 
 	v.isDone = true
+
+	// nolint:gosec // not concerned with crypto-strong randomness
 	v.repetitions = minAnimationRepetitions + rand.Intn(maxAnimationRepetitions)
 
 	switch d2enum.NPCActionType(v.action) {

d2core/d2map/d2mapentity/object.go

@@ -52,6 +52,7 @@ func (ob *Object) setMode(animationMode d2enum.ObjectAnimationMode, direction in
 	ob.composite.SetCurrentFrame(ob.objectRecord.StartFrame[animationMode])
 
 	if randomFrame {
+		// nolint:gosec // not concerned with crypto-strong randomness
 		n := rand.Intn(frameCount)
 		ob.composite.SetCurrentFrame(n)
 	}
@@ -80,7 +81,7 @@ func (ob *Object) Render(target d2interface.Surface) {
 	renderOffset := ob.Position.RenderOffset()
 	target.PushTranslation(
 		int((renderOffset.X()-renderOffset.Y())*subtileWidth),
-		int(((renderOffset.X() + renderOffset.Y()) * subtileHeight)),
+		int((renderOffset.X()+renderOffset.Y())*subtileHeight),
 	)
 
 	if ob.highlight {

d2core/d2map/d2mapentity/object_init.go

@@ -47,7 +47,8 @@ func initWaypoint(ob *Object) error {
 
 // Randomly spawns in either NU or OP
 func initTorchRnd(ob *Object) error {
-	n := rand.Intn(2)
+	const coinToss = 2
+	n := rand.Intn(coinToss) // nolint:gosec // not concerned with crypto-strong randomness
 
 	if n > 0 {
 		return ob.setMode(d2enum.ObjectAnimationModeNeutral, 0, true)

d2core/d2map/d2mapgen/act1_overworld.go

@@ -80,6 +80,7 @@ func (g *MapGenerator) GenerateAct1Overworld() {
 	}
 }
 
+// nolint:gosec // we're not concerned with crypto-strong randomness
 func (g *MapGenerator) generateWilderness1TownEast(startX, startY int) {
 	levelDetails := g.asset.Records.GetLevelDetails(wildernessDetailsRecordID)
 
@@ -145,6 +146,7 @@ func (g *MapGenerator) generateWilderness1TownEast(startX, startY int) {
 	g.engine.PlaceStamp(fenceSouthEastStamp, startX+levelDetails.SizeXNormal, startY+levelDetails.SizeYNormal+6)
 }
 
+// nolint:gosec // we're not concerned with crypto-strong randomness
 func (g *MapGenerator) generateWilderness1TownSouth(startX, startY int) {
 	levelDetails := g.asset.Records.GetLevelDetails(wildernessDetailsRecordID)
 
@@ -198,6 +200,7 @@ func (g *MapGenerator) generateWilderness1TownSouth(startX, startY int) {
 	g.engine.PlaceStamp(fenceWaterBorderSouthEast, startX+(9*9)-4, startY+(8*9)+1)
 }
 
+// nolint:gosec // we're not concerned with crypto-strong randomness
 func (g *MapGenerator) generateWilderness1TownWest(startX, startY int) {
 	levelDetails := g.asset.Records.GetLevelDetails(wildernessDetailsRecordID)
 
@@ -264,6 +267,7 @@ func (g *MapGenerator) generateWilderness1TownWest(startX, startY int) {
 	g.generateWilderness1Contents(areaRect)
 }
 
+// nolint:gosec // we're not concerned with crypto-strong randomness
 func (g *MapGenerator) generateWilderness1Contents(rect d2geom.Rectangle) {
 	levelDetails := g.asset.Records.GetLevelDetails(wildernessDetailsRecordID)