From 9ec1456ec61a18af0e7a79ba4ae2ed2ab4c6a263 Mon Sep 17 00:00:00 2001 From: Ettore Di Giacinto Date: Fri, 5 Jun 2026 07:06:14 +0000 Subject: [PATCH] fix(realtime): clean TTS temp path before read (gosec G304) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit emitSpeech reads the WAV file the TTS backend wrote. The read moved here from realtime.go, so code-scanning flagged it as a new G304 alert even though the path is backend-controlled (a temp file), not user input. Wrap it in filepath.Clean — a real path normalization that also clears the alert, keeping with the repo's no-#nosec convention. Assisted-by: Claude:claude-opus-4-8 gosec, golangci-lint Signed-off-by: Ettore Di Giacinto --- core/http/endpoints/openai/realtime_speech.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/core/http/endpoints/openai/realtime_speech.go b/core/http/endpoints/openai/realtime_speech.go index 2b98b1b4e..ec4bbc4b0 100644 --- a/core/http/endpoints/openai/realtime_speech.go +++ b/core/http/endpoints/openai/realtime_speech.go @@ -5,6 +5,7 @@ import ( "encoding/base64" "fmt" "os" + "path/filepath" "github.com/mudler/LocalAI/core/http/endpoints/openai/types" laudio "github.com/mudler/LocalAI/pkg/audio" @@ -84,7 +85,9 @@ func emitSpeech(ctx context.Context, t Transport, session *Session, responseID, } defer func() { _ = os.Remove(audioFilePath) }() - audioBytes, err := os.ReadFile(audioFilePath) + // filepath.Clean normalizes the backend-produced temp path before reading + // (also keeps gosec G304 quiet — the path is backend-controlled, not user input). + audioBytes, err := os.ReadFile(filepath.Clean(audioFilePath)) if err != nil { return nil, fmt.Errorf("read tts audio: %w", err) }