chore: address a few small bugs (#1255)

Signed-off-by: egibs <[email protected]>

Author: egibs

Makefile

@@ -140,16 +140,16 @@ test:
 
 .PHONY: fuzz
 fuzz:
-	go test -fuzz=FuzzExtractTar -fuzztime=10s ./pkg/archive/
-	go test -fuzz=FuzzExtractZip -fuzztime=10s ./pkg/archive/
-	go test -fuzz=FuzzExtractArchive -fuzztime=10s ./pkg/archive/
-	go test -fuzz=FuzzIsValidPath -fuzztime=10s ./pkg/archive/
-	go test -fuzz=FuzzFile -fuzztime=30s ./pkg/programkind/
-	go test -fuzz=FuzzPath -fuzztime=10s ./pkg/programkind/
-	go test -fuzz=FuzzGetExt -fuzztime=10s ./pkg/programkind/
-	go test -fuzz=FuzzLongestUnique -fuzztime=10s ./pkg/report/
-	go test -fuzz=FuzzTrimPrefixes -fuzztime=10s ./pkg/report/
-	go test -fuzz=FuzzMatchToString -fuzztime=10s ./pkg/report/
+	go test -timeout 0 -fuzz=FuzzExtractTar -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractZip -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzExtractArchive -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzIsValidPath -fuzztime=10s ./pkg/archive/
+	go test -timeout 0 -fuzz=FuzzFile -fuzztime=30s ./pkg/programkind/
+	go test -timeout 0 -fuzz=FuzzPath -fuzztime=10s ./pkg/programkind/
+	go test -timeout 0 -fuzz=FuzzGetExt -fuzztime=10s ./pkg/programkind/
+	go test -timeout 0 -fuzz=FuzzLongestUnique -fuzztime=10s ./pkg/report/
+	go test -timeout 0 -fuzz=FuzzTrimPrefixes -fuzztime=10s ./pkg/report/
+	go test -timeout 0 -fuzz=FuzzMatchToString -fuzztime=10s ./pkg/report/
 
 # fuzz tests - runs continuously (use Ctrl+C to stop)
 # Usage: make fuzz-continuous FUZZ_TARGET=FuzzExtractArchive FUZZ_PKG=./pkg/archive/

pkg/archive/archive.go

@@ -26,9 +26,29 @@ var (
 
 // isValidPath checks if the target file is within the given directory.
 func IsValidPath(target, dir string) bool {
+	if strings.Contains(target, "\x00") || strings.Contains(dir, "\x00") {
+		return false
+	}
+
 	cleanTarget := filepath.Clean(target)
 	cleanDir := filepath.Clean(dir)
 
+	// avoid evaluating symlinks if the target is not a symlink
+	if fi, err := os.Lstat(cleanTarget); err == nil && fi.Mode()&os.ModeSymlink == os.ModeSymlink {
+		var evalTarget, evalDir, rel string
+
+		if evalTarget, err = filepath.EvalSymlinks(cleanTarget); err != nil {
+			return false
+		}
+		if evalDir, err = filepath.EvalSymlinks(cleanDir); err != nil {
+			return false
+		}
+		if rel, err = filepath.Rel(evalDir, evalTarget); err == nil &&
+			rel == ".." || strings.HasPrefix(rel, "..") {
+			return false
+		}
+	}
+
 	switch {
 	case cleanDir == "", cleanTarget == "":
 		return false

pkg/archive/fuzz_test.go

@@ -6,6 +6,7 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/chainguard-dev/malcontent/pkg/malcontent"
 )
@@ -46,7 +47,8 @@ func FuzzExtractTar(f *testing.F) {
 		}
 		defer os.RemoveAll(tmpDir)
 
-		ctx := context.Background()
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
 		_ = ExtractTar(ctx, tmpDir, tmpFile.Name())
 
 		err = filepath.WalkDir(tmpDir, func(path string, _ os.DirEntry, err error) error {
@@ -100,7 +102,8 @@ func FuzzExtractZip(f *testing.F) {
 		}
 		defer os.RemoveAll(tmpDir)
 
-		ctx := context.Background()
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
 		_ = ExtractZip(ctx, tmpDir, tmpFile.Name())
 
 		err = filepath.WalkDir(tmpDir, func(path string, _ os.DirEntry, err error) error {
@@ -163,7 +166,8 @@ func FuzzExtractArchive(f *testing.F) {
 		}
 		tmpFile.Close()
 
-		ctx := context.Background()
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
 		cfg := malcontent.Config{}
 		extractedDir, err := ExtractArchiveToTempDir(ctx, cfg, tmpFile.Name())
 		if err == nil && extractedDir != "" {

pkg/archive/zlib.go

@@ -32,7 +32,6 @@ func ExtractZlib(ctx context.Context, d string, f string) error {
 	}
 
 	buf := archivePool.Get(file.ExtractBuffer) //nolint:nilaway // the buffer pool is created in archive.go
-	defer archivePool.Put(buf)
 
 	zf, err := os.Open(f)
 	if err != nil {
@@ -54,6 +53,7 @@ func ExtractZlib(ctx context.Context, d string, f string) error {
 
 	defer func() {
 		archivePool.Put(buf)
+		zf.Close()
 		zr.Close()
 		out.Close()
 	}()

pkg/compile/compile.go

@@ -12,6 +12,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+	"unicode/utf8"
 
 	"github.com/minio/sha256-simd"
 
@@ -153,9 +154,18 @@ func getRulesToRemove() []string {
 
 // removeRules removes rule matches from the file data.
 func removeRules(data []byte, rulesToRemove []string) []byte {
+	if len(rulesToRemove) == 0 {
+		return data
+	}
+
 	modified := data
 	ruleNames := make([]string, len(rulesToRemove))
 	for i, name := range rulesToRemove {
+		// we only ever include rules listed above in badRules and rulesWithWarnings
+		// but ignore any rule names that aren't valid UTF-8
+		if !utf8.ValidString(name) {
+			continue
+		}
 		ruleNames[i] = regexp.QuoteMeta(name)
 	}
 	pattern := regexp.MustCompile(fmt.Sprintf(

pkg/programkind/fuzz_test.go

@@ -61,7 +61,7 @@ func FuzzFile(f *testing.F) {
 		}
 		tmpFile.Close()
 
-		ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 
 		ft, err := File(ctx, tmpFile.Name())