update/fix lints

Signed-off-by: cpanato <ctadeu@gmail.com>

command/command.go

@@ -58,7 +58,7 @@ type Status struct {
 }
 
 // Stream combines standard output and error
-type Stream struct {
+type Stream struct { //nolint: errname
 	stdOut string
 	stdErr string
 }
@@ -195,7 +195,7 @@ func (c *Command) RunSuccessOutput() (output *Stream, err error) {
 // RunSuccess starts the command and waits for it to finish. It returns an
 // error if the command execution was not successful.
 func (c *Command) RunSuccess() error {
-	_, err := c.RunSuccessOutput() // nolint: errcheck
+	_, err := c.RunSuccessOutput() //nolint: errcheck
 	return err
 }
 
@@ -242,7 +242,7 @@ func (c *Command) RunSilentSuccessOutput() (output *Stream, err error) {
 // an error if the command execution was not successful. This method does not
 // print the output of the command during its execution.
 func (c *Command) RunSilentSuccess() error {
-	_, err := c.RunSilentSuccessOutput() // nolint: errcheck
+	_, err := c.RunSilentSuccessOutput() //nolint: errcheck
 	return err
 }
 

command/global.go

@@ -26,7 +26,7 @@ var atomicInt int32
 
 // SetGlobalVerbose sets the global command verbosity to the specified value
 func SetGlobalVerbose(to bool) {
-	var i int32 = 0
+	var i int32
 	if to {
 		i = 1
 	}

editor/editor.go

@@ -101,7 +101,7 @@ func (e Editor) args(path string) []string {
 		last := args[len(args)-1]
 		args[len(args)-1] = fmt.Sprintf("%s %q", last, path)
 	} else {
-		args = append(args, path) // nolint: makezero
+		args = append(args, path) //nolint: makezero
 	}
 	return args
 }
@@ -117,7 +117,8 @@ func (e Editor) Launch(path string) error {
 		return err
 	}
 	args := e.args(abs)
-	cmd := exec.Command(args[0], args[1:]...)
+	// TODO: check to validate the args and maybe sabitize those
+	cmd := exec.Command(args[0], args[1:]...) //nolint: gosec
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	cmd.Stdin = os.Stdin

hash/hash.go

@@ -17,7 +17,7 @@ limitations under the License.
 package hash
 
 import (
-	"crypto/sha1"
+	"crypto/sha1" //nolint: gosec
 	"crypto/sha256"
 	"crypto/sha512"
 	"encoding/hex"
@@ -41,8 +41,9 @@ func SHA256ForFile(filename string) (string, error) {
 }
 
 // SHA1ForFile returns the hex-encoded sha1 hash for the provided filename.
+// TODO: check if we can remove this function
 func SHA1ForFile(filename string) (string, error) {
-	return ForFile(filename, sha1.New())
+	return ForFile(filename, sha1.New()) //nolint: gosec
 }
 
 // ForFile returns the hex-encoded hash for the provided filename and hasher.

hash/hash_test.go

@@ -17,7 +17,7 @@ limitations under the License.
 package hash_test
 
 import (
-	"crypto/sha1"
+	"crypto/sha1" //nolint: gosec
 	"crypto/sha256"
 	"hash"
 	"os"
@@ -154,7 +154,7 @@ func TestForFile(t *testing.T) {
 				_, err = f.WriteString("test")
 				require.Nil(t, err)
 
-				return f.Name(), sha1.New()
+				return f.Name(), sha1.New() //nolint: gosec
 			},
 			expected:    "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
 			shouldError: false,

tar/tar.go

@@ -141,13 +141,19 @@ func Extract(tarFilePath, destinationPath string) error {
 		func(reader *tar.Reader, header *tar.Header) (stop bool, err error) {
 			switch header.Typeflag {
 			case tar.TypeDir:
-				targetDir := filepath.Join(destinationPath, header.Name)
+				targetDir, err := SanitizeArchivePath(destinationPath, header.Name)
+				if err != nil {
+					return false, fmt.Errorf("SanitizeArchivePath: %w", err)
+				}
 				logrus.Tracef("Creating directory %s", targetDir)
 				if err := os.MkdirAll(targetDir, os.FileMode(0o755)); err != nil {
 					return false, fmt.Errorf("create target directory: %w", err)
 				}
 			case tar.TypeSymlink:
-				targetFile := filepath.Join(destinationPath, header.Name)
+				targetFile, err := SanitizeArchivePath(destinationPath, header.Name)
+				if err != nil {
+					return false, fmt.Errorf("SanitizeArchivePath: %w", err)
+				}
 				logrus.Tracef(
 					"Creating symlink %s -> %s", header.Linkname, targetFile,
 				)
@@ -161,8 +167,11 @@ func Extract(tarFilePath, destinationPath string) error {
 				}
 				// tar.TypeRegA has been deprecated since Go 1.11
 				// should we just remove?
-			case tar.TypeReg, tar.TypeRegA: //nolint: staticcheck
-				targetFile := filepath.Join(destinationPath, header.Name)
+			case tar.TypeReg:
+				targetFile, err := SanitizeArchivePath(destinationPath, header.Name)
+				if err != nil {
+					return false, fmt.Errorf("SanitizeArchivePath: %w", err)
+				}
 				logrus.Tracef("Creating file %s", targetFile)
 
 				if err := os.MkdirAll(
@@ -196,6 +205,17 @@ func Extract(tarFilePath, destinationPath string) error {
 	)
 }
 
+// Sanitize archive file pathing from "G305: Zip Slip vulnerability"
+// https://security.snyk.io/research/zip-slip-vulnerability
+func SanitizeArchivePath(d, t string) (v string, err error) {
+	v = filepath.Join(d, t)
+	if strings.HasPrefix(v, filepath.Clean(d)) {
+		return v, nil
+	}
+
+	return "", fmt.Errorf("%s: %s", "content filepath is tainted", t)
+}
+
 // ReadFileFromGzippedTar opens a tarball and reads contents of a file inside.
 func ReadFileFromGzippedTar(
 	tarPath, filePath string,

util/common.go

@@ -39,10 +39,10 @@ const (
 )
 
 var (
-	regexpCRLF       *regexp.Regexp = regexp.MustCompile(`\015$`)
-	regexpCtrlChar   *regexp.Regexp = regexp.MustCompile(`\x1B[\[(](\d{1,2}(;\d{1,2})?)?[mKB]`)
-	regexpOauthToken *regexp.Regexp = regexp.MustCompile(`[a-f0-9]{40}:x-oauth-basic`)
-	regexpGitToken   *regexp.Regexp = regexp.MustCompile(`git:[a-f0-9]{35,40}@github\.com`)
+	regexpCRLF       = regexp.MustCompile(`\015$`)
+	regexpCtrlChar   = regexp.MustCompile(`\x1B[\[(](\d{1,2}(;\d{1,2})?)?[mKB]`)
+	regexpOauthToken = regexp.MustCompile(`[a-f0-9]{40}:x-oauth-basic`)
+	regexpGitToken   = regexp.MustCompile(`git:[a-f0-9]{35,40}@github\.com`)
 )
 
 // UserInputError a custom error to handle more user input info

util/common_test.go

@@ -459,7 +459,7 @@ func TestTrimTagPrefix(t *testing.T) {
 }
 
 func TestWrapText(t *testing.T) {
-	//nolint
+	//nolint: misspell
 	longText := `Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut molestie accumsan orci, id congue nibh sollicitudin in. Nulla condimentum arcu eu est hendrerit tempus. Nunc risus nibh, aliquam in ultrices fringilla, aliquet ac purus. Aenean non nibh magna. Nunc lacinia suscipit malesuada. Vivamus porta a leo vel ornare. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Morbi pellentesque orci magna, sed semper nulla fringilla at. Nam elementum ipsum maximus lectus tempor faucibus. Donec eu enim nulla. Integer egestas venenatis tristique. Curabitur id purus sem. Vivamus nec mollis lorem.`
 	wrappedText := "Lorem ipsum dolor sit amet, consectetur\n"
 	wrappedText += "adipiscing elit. Ut molestie accumsan\n"
@@ -471,7 +471,7 @@ func TestWrapText(t *testing.T) {
 	wrappedText += "suscipit malesuada. Vivamus porta a leo\n"
 	wrappedText += "vel ornare. Orci varius natoque\n"
 	wrappedText += "penatibus et magnis dis parturient\n"
-	wrappedText += "montes, nascetur ridiculus mus. Morbi\n" //nolint
+	wrappedText += "montes, nascetur ridiculus mus. Morbi\n" //nolint: misspell
 	wrappedText += "pellentesque orci magna, sed semper\n"
 	wrappedText += "nulla fringilla at. Nam elementum ipsum\n"
 	wrappedText += "maximus lectus tempor faucibus. Donec eu\n"
@@ -538,7 +538,7 @@ func TestCleanLogFile(t *testing.T) {
 	line5 := "\nControl Chars: "
 
 	// Create a token line
-	originalTokenLine := "7aa33bd2186c40849c4c2df321241e241def98ca:x-oauth-basic"
+	originalTokenLine := "7aa33bd2186c40849c4c2df321241e241def98ca:x-oauth-basic" //nolint: gosec
 	sanitizedTokenLine := string(StripSensitiveData([]byte(originalTokenLine)))
 	require.NotEqual(t, originalTokenLine, sanitizedTokenLine)