Skip to content

Commit 4ff1328

Browse files
thomaspoignantthomaspoignant
authored
fix: Synk warning changes (#4102)
* fix: risk of path transversal here. check: https://app.snyk.io/org/thomaspoignant/project/78100f3e-bb23-411a-88aa-e30c38c00d6c\#issue-96842b81-7cbd-43c0-b8d7-e0f91f66a7e6 Signed-off-by: Thomas Poignant <thomas.poignant@gofeatureflag.org> * fix: synk warning changes Signed-off-by: Thomas Poignant <thomas.poignant@gofeatureflag.org> --------- Signed-off-by: Thomas Poignant <thomas.poignant@gofeatureflag.org>
1 parent 222c947 commit 4ff1328

File tree

3 files changed

+7
-4
lines changed

3 files changed

+7
-4
lines changed

exporter/azureexporter/exporter.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"fmt"
66
"log/slog"
77
"os"
8+
"path"
89

910
"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
1011
"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
@@ -94,7 +95,7 @@ func (f *Exporter) Export(
9495

9596
for _, file := range files {
9697
fileName := file.Name()
97-
of, err := os.Open(outputDir + "/" + fileName)
98+
of, err := os.Open(outputDir + "/" + path.Clean(fileName))
9899
if err != nil {
99100
logger.Error(
100101
"[Azure Exporter] impossible to open file",

exporter/fileexporter/exporter_test.go

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@ package fileexporter_test
33
import (
44
"context"
55
"os"
6+
"path"
67
"path/filepath"
78
"runtime"
89
"strings"
@@ -542,7 +543,7 @@ func TestExportWithoutOutputDir(t *testing.T) {
542543
for _, file := range files {
543544
if strings.HasPrefix(file.Name(), filePrefix) {
544545
countFileWithPrefix++
545-
err := os.Remove(file.Name())
546+
err := os.Remove(path.Clean(file.Name()))
546547
require.NoError(t, err)
547548
}
548549
}

exporter/gcstorageexporter/exporter.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"io"
77
"log/slog"
88
"os"
9+
"path"
910

1011
"cloud.google.com/go/storage"
1112
"github.com/thomaspoignant/go-feature-flag/exporter"
@@ -97,7 +98,7 @@ func (f *Exporter) Export(
9798
}
9899

99100
for _, file := range files {
100-
of, err := os.Open(outputDir + "/" + file.Name())
101+
of, err := os.Open(outputDir + "/" + path.Clean(file.Name()))
101102
if err != nil {
102103
logger.Error("[GCP Exporter] impossible to open the file",
103104
slog.String("path", outputDir+"/"+file.Name()))
@@ -108,7 +109,7 @@ func (f *Exporter) Export(
108109
// prepend the path
109110
source := file.Name()
110111
if f.Path != "" {
111-
source = f.Path + "/" + file.Name()
112+
source = f.Path + "/" + path.Clean(file.Name())
112113
}
113114

114115
wc := client.Bucket(f.Bucket).Object(source).NewWriter(ctx)

0 commit comments

Comments
 (0)