Skip to content

Commit fcfe79a

Browse files
ccecce
committed
fix gosec error
1 parent 74a2569 commit fcfe79a

File tree

2 files changed

+29
-2
lines changed

2 files changed

+29
-2
lines changed

.golangci-warnings.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ linters:
1212
custom:
1313
partitiontest:
1414
type: "module"
15-
description: This custom linter checks files that end in '_test.go', specifically functions that start with 'Test' and have testing argument, for a line 'partitiontest.ParitionTest(<testing arg>)'
15+
description: This custom linter ensures test functions call 'partitiontest.PartitionTest(t)'
1616
exclusions:
1717
generated: lax
1818
rules:

cmd/nodecfg/untar.go

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,9 +19,11 @@ package main
1919
import (
2020
"archive/tar"
2121
"compress/gzip"
22+
"fmt"
2223
"io"
2324
"os"
2425
"path/filepath"
26+
"strings"
2527
)
2628

2729
// UncompressFile takes the name of a tar/gz archive file and expands
@@ -45,6 +47,7 @@ func Uncompress(r io.Reader, dst string) error {
4547
defer gzr.Close()
4648

4749
tr := tar.NewReader(gzr)
50+
baseDir := filepath.Clean(dst)
4851

4952
for {
5053
header, err := tr.Next()
@@ -65,7 +68,10 @@ func Uncompress(r io.Reader, dst string) error {
6568
}
6669

6770
// the target location where the dir/file should be created
68-
target := filepath.Join(dst, header.Name) //nolint:gosec // only used with trusted testing config data
71+
target, err := resolveEntryPath(baseDir, header.Name)
72+
if err != nil {
73+
return err
74+
}
6975

7076
// the following switch could also be done using fi.Mode(), not sure if there
7177
// a benefit of using one vs. the other.
@@ -100,3 +106,24 @@ func Uncompress(r io.Reader, dst string) error {
100106
}
101107
}
102108
}
109+
110+
func resolveEntryPath(destination, headerName string) (string, error) {
111+
cleanDest := filepath.Clean(destination)
112+
cleanName := filepath.Clean(headerName)
113+
114+
if filepath.IsAbs(cleanName) {
115+
return "", fmt.Errorf("tar entry %q: absolute paths are not supported", headerName)
116+
}
117+
118+
target := filepath.Join(cleanDest, cleanName)
119+
rel, err := filepath.Rel(cleanDest, target)
120+
if err != nil {
121+
return "", fmt.Errorf("tar entry %q: %w", headerName, err)
122+
}
123+
124+
if rel == ".." || strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
125+
return "", fmt.Errorf("tar entry %q: invalid path", headerName)
126+
}
127+
128+
return target, nil
129+
}

0 commit comments

Comments
 (0)