Skip to content

Commit 765b560

Browse files
sebrandon1sebrandon1
committed
Sanitize file names with filepath.Base and use os.Remove
Snyk static analysis does not recognize BuildPathChecked as sufficient sanitization for os.RemoveAll. Use filepath.Base to strip directory components from file names and switch to os.Remove since bundles are regular files, not directories.
1 parent 5c37b2f commit 765b560

File tree

2 files changed

+9
-15
lines changed

2 files changed

+9
-15
lines changed

cmd/crc/cmd/bundle/clear.go

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -2,11 +2,11 @@ package bundle
22

33
import (
44
"os"
5+
"path/filepath"
56
"strings"
67

78
"github.com/crc-org/crc/v2/pkg/crc/constants"
89
"github.com/crc-org/crc/v2/pkg/crc/logging"
9-
"github.com/crc-org/crc/v2/pkg/extract"
1010
"github.com/spf13/cobra"
1111
)
1212

@@ -37,13 +37,10 @@ func runClear() error {
3737
var lastErr error
3838
for _, file := range files {
3939
if strings.HasSuffix(file.Name(), ".crcbundle") {
40-
filePath, err := extract.BuildPathChecked(cacheDir, file.Name())
41-
if err != nil {
42-
logging.Errorf("Skipping unsafe path %s: %v", file.Name(), err)
43-
continue
44-
}
40+
safeName := filepath.Base(file.Name())
41+
filePath := filepath.Join(cacheDir, safeName)
4542
logging.Infof("Deleting %s", filePath)
46-
if err := os.RemoveAll(filePath); err != nil {
43+
if err := os.Remove(filePath); err != nil {
4744
logging.Errorf("Failed to remove %s: %v", filePath, err)
4845
lastErr = err
4946
} else {

cmd/crc/cmd/bundle/prune.go

Lines changed: 5 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,14 @@ package bundle
33
import (
44
"fmt"
55
"os"
6+
"path/filepath"
67
"regexp"
78
"sort"
89
"strconv"
910
"strings"
1011

1112
"github.com/crc-org/crc/v2/pkg/crc/constants"
1213
"github.com/crc-org/crc/v2/pkg/crc/logging"
13-
"github.com/crc-org/crc/v2/pkg/extract"
1414
"github.com/spf13/cobra"
1515
)
1616

@@ -110,13 +110,10 @@ func runPrune(keep int) error {
110110
})
111111

112112
for i := keep; i < len(bundles); i++ {
113-
filePath, err := extract.BuildPathChecked(cacheDir, bundles[i].name)
114-
if err != nil {
115-
logging.Errorf("Skipping unsafe path %s: %v", bundles[i].name, err)
116-
continue
117-
}
118-
logging.Infof("Pruning old bundle: %s", bundles[i].name)
119-
if err := os.RemoveAll(filePath); err != nil {
113+
safeName := filepath.Base(bundles[i].name)
114+
filePath := filepath.Join(cacheDir, safeName)
115+
logging.Infof("Pruning old bundle: %s", safeName)
116+
if err := os.Remove(filePath); err != nil {
120117
logging.Errorf("Failed to remove %s: %v", filePath, err)
121118
}
122119
pruned = true

0 commit comments

Comments
 (0)