diff --git a/command/command.go b/command/command.go index 690399a..bfb85d8 100644 --- a/command/command.go +++ b/command/command.go @@ -58,7 +58,7 @@ type Status struct { } // Stream combines standard output and error -type Stream struct { +type Stream struct { //nolint: errname stdOut string stdErr string } @@ -195,7 +195,7 @@ func (c *Command) RunSuccessOutput() (output *Stream, err error) { // RunSuccess starts the command and waits for it to finish. It returns an // error if the command execution was not successful. func (c *Command) RunSuccess() error { - _, err := c.RunSuccessOutput() // nolint: errcheck + _, err := c.RunSuccessOutput() //nolint: errcheck return err } @@ -242,7 +242,7 @@ func (c *Command) RunSilentSuccessOutput() (output *Stream, err error) { // an error if the command execution was not successful. This method does not // print the output of the command during its execution. func (c *Command) RunSilentSuccess() error { - _, err := c.RunSilentSuccessOutput() // nolint: errcheck + _, err := c.RunSilentSuccessOutput() //nolint: errcheck return err } diff --git a/command/global.go b/command/global.go index d75387f..687e707 100644 --- a/command/global.go +++ b/command/global.go @@ -26,7 +26,7 @@ var atomicInt int32 // SetGlobalVerbose sets the global command verbosity to the specified value func SetGlobalVerbose(to bool) { - var i int32 = 0 + var i int32 if to { i = 1 } diff --git a/editor/editor.go b/editor/editor.go index 52de712..db0d61e 100644 --- a/editor/editor.go +++ b/editor/editor.go @@ -101,7 +101,7 @@ func (e Editor) args(path string) []string { last := args[len(args)-1] args[len(args)-1] = fmt.Sprintf("%s %q", last, path) } else { - args = append(args, path) // nolint: makezero + args = append(args, path) //nolint: makezero } return args } @@ -117,7 +117,8 @@ func (e Editor) Launch(path string) error { return err } args := e.args(abs) - cmd := exec.Command(args[0], args[1:]...) + // TODO: check to validate the args and maybe sabitize those + cmd := exec.Command(args[0], args[1:]...) //nolint: gosec cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr cmd.Stdin = os.Stdin diff --git a/hash/hash.go b/hash/hash.go index 1c0d6b6..2cdde6f 100644 --- a/hash/hash.go +++ b/hash/hash.go @@ -17,7 +17,7 @@ limitations under the License. package hash import ( - "crypto/sha1" + "crypto/sha1" //nolint: gosec "crypto/sha256" "crypto/sha512" "encoding/hex" @@ -41,8 +41,9 @@ func SHA256ForFile(filename string) (string, error) { } // SHA1ForFile returns the hex-encoded sha1 hash for the provided filename. +// TODO: check if we can remove this function func SHA1ForFile(filename string) (string, error) { - return ForFile(filename, sha1.New()) + return ForFile(filename, sha1.New()) //nolint: gosec } // ForFile returns the hex-encoded hash for the provided filename and hasher. diff --git a/hash/hash_test.go b/hash/hash_test.go index bfc9aa9..3d5043d 100644 --- a/hash/hash_test.go +++ b/hash/hash_test.go @@ -17,7 +17,7 @@ limitations under the License. package hash_test import ( - "crypto/sha1" + "crypto/sha1" //nolint: gosec "crypto/sha256" "hash" "os" @@ -154,7 +154,7 @@ func TestForFile(t *testing.T) { _, err = f.WriteString("test") require.Nil(t, err) - return f.Name(), sha1.New() + return f.Name(), sha1.New() //nolint: gosec }, expected: "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", shouldError: false, diff --git a/tar/tar.go b/tar/tar.go index a326c8a..470f85b 100644 --- a/tar/tar.go +++ b/tar/tar.go @@ -141,13 +141,19 @@ func Extract(tarFilePath, destinationPath string) error { func(reader *tar.Reader, header *tar.Header) (stop bool, err error) { switch header.Typeflag { case tar.TypeDir: - targetDir := filepath.Join(destinationPath, header.Name) + targetDir, err := SanitizeArchivePath(destinationPath, header.Name) + if err != nil { + return false, fmt.Errorf("SanitizeArchivePath: %w", err) + } logrus.Tracef("Creating directory %s", targetDir) if err := os.MkdirAll(targetDir, os.FileMode(0o755)); err != nil { return false, fmt.Errorf("create target directory: %w", err) } case tar.TypeSymlink: - targetFile := filepath.Join(destinationPath, header.Name) + targetFile, err := SanitizeArchivePath(destinationPath, header.Name) + if err != nil { + return false, fmt.Errorf("SanitizeArchivePath: %w", err) + } logrus.Tracef( "Creating symlink %s -> %s", header.Linkname, targetFile, ) @@ -161,8 +167,11 @@ func Extract(tarFilePath, destinationPath string) error { } // tar.TypeRegA has been deprecated since Go 1.11 // should we just remove? - case tar.TypeReg, tar.TypeRegA: //nolint: staticcheck - targetFile := filepath.Join(destinationPath, header.Name) + case tar.TypeReg: + targetFile, err := SanitizeArchivePath(destinationPath, header.Name) + if err != nil { + return false, fmt.Errorf("SanitizeArchivePath: %w", err) + } logrus.Tracef("Creating file %s", targetFile) if err := os.MkdirAll( @@ -196,6 +205,17 @@ func Extract(tarFilePath, destinationPath string) error { ) } +// Sanitize archive file pathing from "G305: Zip Slip vulnerability" +// https://security.snyk.io/research/zip-slip-vulnerability +func SanitizeArchivePath(d, t string) (v string, err error) { + v = filepath.Join(d, t) + if strings.HasPrefix(v, filepath.Clean(d)) { + return v, nil + } + + return "", fmt.Errorf("%s: %s", "content filepath is tainted", t) +} + // ReadFileFromGzippedTar opens a tarball and reads contents of a file inside. func ReadFileFromGzippedTar( tarPath, filePath string, diff --git a/util/common.go b/util/common.go index af5a638..29b8646 100644 --- a/util/common.go +++ b/util/common.go @@ -39,10 +39,10 @@ const ( ) var ( - regexpCRLF *regexp.Regexp = regexp.MustCompile(`\015$`) - regexpCtrlChar *regexp.Regexp = regexp.MustCompile(`\x1B[\[(](\d{1,2}(;\d{1,2})?)?[mKB]`) - regexpOauthToken *regexp.Regexp = regexp.MustCompile(`[a-f0-9]{40}:x-oauth-basic`) - regexpGitToken *regexp.Regexp = regexp.MustCompile(`git:[a-f0-9]{35,40}@github\.com`) + regexpCRLF = regexp.MustCompile(`\015$`) + regexpCtrlChar = regexp.MustCompile(`\x1B[\[(](\d{1,2}(;\d{1,2})?)?[mKB]`) + regexpOauthToken = regexp.MustCompile(`[a-f0-9]{40}:x-oauth-basic`) + regexpGitToken = regexp.MustCompile(`git:[a-f0-9]{35,40}@github\.com`) ) // UserInputError a custom error to handle more user input info diff --git a/util/common_test.go b/util/common_test.go index 7458394..90aa25d 100644 --- a/util/common_test.go +++ b/util/common_test.go @@ -459,7 +459,7 @@ func TestTrimTagPrefix(t *testing.T) { } func TestWrapText(t *testing.T) { - //nolint + //nolint: misspell longText := `Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut molestie accumsan orci, id congue nibh sollicitudin in. Nulla condimentum arcu eu est hendrerit tempus. Nunc risus nibh, aliquam in ultrices fringilla, aliquet ac purus. Aenean non nibh magna. Nunc lacinia suscipit malesuada. Vivamus porta a leo vel ornare. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Morbi pellentesque orci magna, sed semper nulla fringilla at. Nam elementum ipsum maximus lectus tempor faucibus. Donec eu enim nulla. Integer egestas venenatis tristique. Curabitur id purus sem. Vivamus nec mollis lorem.` wrappedText := "Lorem ipsum dolor sit amet, consectetur\n" wrappedText += "adipiscing elit. Ut molestie accumsan\n" @@ -471,7 +471,7 @@ func TestWrapText(t *testing.T) { wrappedText += "suscipit malesuada. Vivamus porta a leo\n" wrappedText += "vel ornare. Orci varius natoque\n" wrappedText += "penatibus et magnis dis parturient\n" - wrappedText += "montes, nascetur ridiculus mus. Morbi\n" //nolint + wrappedText += "montes, nascetur ridiculus mus. Morbi\n" //nolint: misspell wrappedText += "pellentesque orci magna, sed semper\n" wrappedText += "nulla fringilla at. Nam elementum ipsum\n" wrappedText += "maximus lectus tempor faucibus. Donec eu\n" @@ -538,7 +538,7 @@ func TestCleanLogFile(t *testing.T) { line5 := "\nControl Chars: " // Create a token line - originalTokenLine := "7aa33bd2186c40849c4c2df321241e241def98ca:x-oauth-basic" + originalTokenLine := "7aa33bd2186c40849c4c2df321241e241def98ca:x-oauth-basic" //nolint: gosec sanitizedTokenLine := string(StripSensitiveData([]byte(originalTokenLine))) require.NotEqual(t, originalTokenLine, sanitizedTokenLine)