fix: resolve Snyk security warning with path traversal

seborama · seborama · commit a4830c8adceb · 2025-04-28T09:51:44.000+01:00
diff --git a/openapi3/loader_uri_reader.go b/openapi3/loader_uri_reader.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"path"
 	"path/filepath"
 	"sync"
 )
@@ -79,7 +80,7 @@ func ReadFromFile(loader *Loader, location *url.URL) ([]byte, error) {
 	if !is_file(location) {
 		return nil, ErrURINotSupported
 	}
-	return os.ReadFile(filepath.FromSlash(location.Path))
+	return os.ReadFile(path.Clean(filepath.FromSlash(location.Path)))
 }
 
 // URIMapCache returns a ReadFromURIFunc that caches the contents read from URI

Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`	`"net/http"`
`8`	`8`	`"net/url"`
`9`	`9`	`"os"`
	`10`	`+ "path"`
`10`	`11`	`"path/filepath"`
`11`	`12`	`"sync"`
`12`	`13`	`)`
`@@ -79,7 +80,7 @@ func ReadFromFile(loader Loader, location url.URL) ([]byte, error) {`
`79`	`80`	`if !is_file(location) {`
`80`	`81`	`return nil, ErrURINotSupported`
`81`	`82`	`}`
`82`		`- return os.ReadFile(filepath.FromSlash(location.Path))`
	`83`	`+ return os.ReadFile(path.Clean(filepath.FromSlash(location.Path)))`
`83`	`84`	`}`
`84`	`85`
`85`	`86`	`// URIMapCache returns a ReadFromURIFunc that caches the contents read from URI`