Clean filepath before reading the content

praveenkumar · praveenkumar · commit 1f358e88c52a · 2025-02-11T14:28:41.000+05:30
Looks like security job is failing because it detect unsanitized input
from file, this should fix following

```
  ✗ [Medium] Path Traversal
   ID: 2ce4a8d7-4fb1-41b5-8841-dc76ea48e503
   Path: pkg/crc/machine/bundle/repository.go, line 41
   Info: Unsanitized input from file name flows into os.ReadFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
```
diff --git a/pkg/crc/machine/bundle/repository.go b/pkg/crc/machine/bundle/repository.go
@@ -38,7 +38,7 @@ func (repo *Repository) Get(bundleName string) (*CrcBundleInfo, error) {
 		return nil, errors.Wrapf(err, "could not find cached bundle info in %s", path)
 	}
 	jsonFilepath := filepath.Join(path, metadataFilename)
-	content, err := os.ReadFile(jsonFilepath)
+	content, err := os.ReadFile(filepath.Clean(jsonFilepath))
 	if err != nil {
 		return nil, errors.Wrapf(err, "error reading %s file", jsonFilepath)
 	}

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func (repo Repository) Get(bundleName string) (CrcBundleInfo, error) {`
`38`	`38`	`return nil, errors.Wrapf(err, "could not find cached bundle info in %s", path)`
`39`	`39`	`}`
`40`	`40`	`jsonFilepath := filepath.Join(path, metadataFilename)`
`41`		`- content, err := os.ReadFile(jsonFilepath)`
	`41`	`+ content, err := os.ReadFile(filepath.Clean(jsonFilepath))`
`42`	`42`	`if err != nil {`
`43`	`43`	`return nil, errors.Wrapf(err, "error reading %s file", jsonFilepath)`
`44`	`44`	`}`