From 665eb1b41b27ac05aa1decc5f61f8cbe0728be9e Mon Sep 17 00:00:00 2001 From: kewe63 Date: Mon, 11 May 2026 10:52:26 +0300 Subject: [PATCH 1/4] fix: sanitize repo path and add trailing newline in dependency updater --- dependency_updater/dependency_updater.go | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/dependency_updater/dependency_updater.go b/dependency_updater/dependency_updater.go index 56204d77a..d65d8306e 100644 --- a/dependency_updater/dependency_updater.go +++ b/dependency_updater/dependency_updater.go @@ -4,6 +4,7 @@ import ( "context" "encoding/json" "fmt" + "path/filepath" "slices" "time" @@ -82,7 +83,13 @@ func updater(token string, repoPath string, commit bool, githubAction bool) erro var dependencies Dependencies var updatedDependencies []VersionUpdateInfo - f, err := os.ReadFile(repoPath + "/versions.json") + // Sanitize repoPath to prevent path traversal (CWE-22) + repoPath, err = filepath.Abs(filepath.Clean(repoPath)) + if err != nil { + return fmt.Errorf("error resolving repo path: %s", err) + } + + f, err := os.ReadFile(filepath.Join(repoPath, "versions.json")) if err != nil { return fmt.Errorf("error reading versions JSON: %s", err) } @@ -336,7 +343,7 @@ func writeToVersionsJson(repoPath string, dependencies Dependencies) error { return fmt.Errorf("error marshaling dependencies json: %s", err) } - e := os.WriteFile(repoPath+"/versions.json", updatedJson, 0644) + e := os.WriteFile(filepath.Join(repoPath, "versions.json"), updatedJson, 0644) if e != nil { return fmt.Errorf("error writing to versions.json: %s", e) } @@ -368,13 +375,13 @@ func createVersionsEnv(repoPath string, dependencies Dependencies) error { slices.Sort(envLines) - file, err := os.Create(repoPath + "/versions.env") + file, err := os.Create(filepath.Join(repoPath, "versions.env")) if err != nil { return fmt.Errorf("error creating versions.env file: %s", err) } defer file.Close() - _, err = file.WriteString(strings.Join(envLines, "\n")) + _, err = file.WriteString(strings.Join(envLines, "\n") + "\n") if err != nil { return fmt.Errorf("error writing to versions.env file: %s", err) } From 24939ddc5bf7c2ef2f3a800bb9c5c8d30d471c30 Mon Sep 17 00:00:00 2001 From: kewe63 Date: Mon, 11 May 2026 11:51:34 +0300 Subject: [PATCH 2/4] fix: implement security check for repo path to prevent directory traversal --- dependency_updater/dependency_updater.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/dependency_updater/dependency_updater.go b/dependency_updater/dependency_updater.go index d65d8306e..4e2b335ee 100644 --- a/dependency_updater/dependency_updater.go +++ b/dependency_updater/dependency_updater.go @@ -89,6 +89,19 @@ func updater(token string, repoPath string, commit bool, githubAction bool) erro return fmt.Errorf("error resolving repo path: %s", err) } + // Ensure the resolved path stays within the workspace (CWE-22) + base := os.Getenv("GITHUB_WORKSPACE") + if base != "" { + absBase, err := filepath.Abs(base) + if err != nil { + return fmt.Errorf("error resolving workspace base path: %w", err) + } + rel, err := filepath.Rel(absBase, repoPath) + if err != nil || strings.HasPrefix(rel, "..") { + return fmt.Errorf("security error: repo path '%s' is outside of workspace '%s'", repoPath, absBase) + } + } + f, err := os.ReadFile(filepath.Join(repoPath, "versions.json")) if err != nil { return fmt.Errorf("error reading versions JSON: %s", err) From 7b53e3837d28fcca05ca710316f75d2b657058d3 Mon Sep 17 00:00:00 2001 From: kewe63 Date: Mon, 11 May 2026 11:50:18 +0300 Subject: [PATCH 3/4] fix: dependency_updater security, POSIX compliance, and improved descriptions --- dependency_updater/dependency_updater.go | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/dependency_updater/dependency_updater.go b/dependency_updater/dependency_updater.go index 4e2b335ee..d65d8306e 100644 --- a/dependency_updater/dependency_updater.go +++ b/dependency_updater/dependency_updater.go @@ -89,19 +89,6 @@ func updater(token string, repoPath string, commit bool, githubAction bool) erro return fmt.Errorf("error resolving repo path: %s", err) } - // Ensure the resolved path stays within the workspace (CWE-22) - base := os.Getenv("GITHUB_WORKSPACE") - if base != "" { - absBase, err := filepath.Abs(base) - if err != nil { - return fmt.Errorf("error resolving workspace base path: %w", err) - } - rel, err := filepath.Rel(absBase, repoPath) - if err != nil || strings.HasPrefix(rel, "..") { - return fmt.Errorf("security error: repo path '%s' is outside of workspace '%s'", repoPath, absBase) - } - } - f, err := os.ReadFile(filepath.Join(repoPath, "versions.json")) if err != nil { return fmt.Errorf("error reading versions JSON: %s", err) From 0289db92b106880fc3d5bf5b44faf038a8586697 Mon Sep 17 00:00:00 2001 From: kewe63 Date: Mon, 11 May 2026 13:44:46 +0300 Subject: [PATCH 4/4] fix: dependency_updater security and error wrapping --- dependency_updater/dependency_updater.go | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/dependency_updater/dependency_updater.go b/dependency_updater/dependency_updater.go index d65d8306e..d3b847011 100644 --- a/dependency_updater/dependency_updater.go +++ b/dependency_updater/dependency_updater.go @@ -86,12 +86,25 @@ func updater(token string, repoPath string, commit bool, githubAction bool) erro // Sanitize repoPath to prevent path traversal (CWE-22) repoPath, err = filepath.Abs(filepath.Clean(repoPath)) if err != nil { - return fmt.Errorf("error resolving repo path: %s", err) + return fmt.Errorf("error resolving repo path: %w", err) + } + + // Ensure the resolved path stays within the workspace (CWE-22) + base := os.Getenv("GITHUB_WORKSPACE") + if base != "" { + absBase, err := filepath.Abs(base) + if err != nil { + return fmt.Errorf("error resolving workspace base path: %w", err) + } + rel, err := filepath.Rel(absBase, repoPath) + if err != nil || strings.HasPrefix(rel, "..") { + return fmt.Errorf("security error: repo path '%s' is outside of workspace '%s'", repoPath, absBase) + } } f, err := os.ReadFile(filepath.Join(repoPath, "versions.json")) if err != nil { - return fmt.Errorf("error reading versions JSON: %s", err) + return fmt.Errorf("error reading versions JSON: %w", err) } client := github.NewClient(nil).WithAuthToken(token)