Skip to content

Commit

Permalink
Clean filepath before reading the content
Browse files Browse the repository at this point in the history 
Looks like security job is failing because it detect unsanitized input
from file, this should fix following

```
  ✗ [Medium] Path Traversal
   ID: 2ce4a8d7-4fb1-41b5-8841-dc76ea48e503
   Path: pkg/crc/machine/bundle/repository.go, line 41
   Info: Unsanitized input from file name flows into os.ReadFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
```
  • Loading branch information
@praveenkumar
praveenkumar committed Feb 11, 2025
1 parent a198680 commit 1f358e8
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion pkg/crc/machine/bundle/repository.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ func (repo *Repository) Get(bundleName string) (*CrcBundleInfo, error) {
return nil, errors.Wrapf(err, "could not find cached bundle info in %s", path)
}
jsonFilepath := filepath.Join(path, metadataFilename)
content, err := os.ReadFile(jsonFilepath)
content, err := os.ReadFile(filepath.Clean(jsonFilepath))
if err != nil {
return nil, errors.Wrapf(err, "error reading %s file", jsonFilepath)
}
Expand Down

0 comments on commit 1f358e8

Please sign in to comment.