Fixed SAST vulnerabilities

bhanurp · bhanurp · commit 3c025a213285 · 2026-03-06T14:33:40.000+05:30
diff --git a/go.mod b/go.mod
@@ -71,7 +71,7 @@ require (
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20240917142304-df385efaac68 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.7.0 // indirect
-	github.com/go-git/go-git/v5 v5.16.4 // indirect
+	github.com/go-git/go-git/v5 v5.16.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.24.2 // indirect
@@ -161,7 +161,7 @@ require (
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/stretchr/objx v0.5.3 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/theupdateframework/go-tuf/v2 v2.4.0 // indirect
+	github.com/theupdateframework/go-tuf/v2 v2.4.1 // indirect
 	github.com/transparency-dev/formats v0.0.0-20260119090622-e70c80e9488a // indirect
 	github.com/transparency-dev/merkle v0.0.2 // indirect
 	github.com/ulikunitz/xz v0.5.15 // indirect
diff --git a/go.sum b/go.sum
@@ -219,8 +219,8 @@ github.com/go-git/go-billy/v5 v5.7.0 h1:83lBUJhGWhYp0ngzCMSgllhUSuoHP1iEWYjsPl9n
 github.com/go-git/go-billy/v5 v5.7.0/go.mod h1:/1IUejTKH8xipsAcdfcSAlUlo2J7lkYV8GTKxAT/L3E=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.4 h1:7ajIEZHZJULcyJebDLo99bGgS0jRrOxzZG4uCk2Yb2Y=
-github.com/go-git/go-git/v5 v5.16.4/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
+github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -596,8 +596,8 @@ github.com/terminalstatic/go-xsd-validate v0.1.6 h1:TenYeQ3eY631qNi1/cTmLH/s2slH
 github.com/terminalstatic/go-xsd-validate v0.1.6/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
 github.com/theupdateframework/go-tuf v0.7.0 h1:CqbQFrWo1ae3/I0UCblSbczevCCbS31Qvs5LdxRWqRI=
 github.com/theupdateframework/go-tuf v0.7.0/go.mod h1:uEB7WSY+7ZIugK6R1hiBMBjQftaFzn7ZCDJcp1tCUug=
-github.com/theupdateframework/go-tuf/v2 v2.4.0 h1:3HGxV0lq91/RJ7YycqCKuKBuLfo4rLRut4lh9XqIEP4=
-github.com/theupdateframework/go-tuf/v2 v2.4.0/go.mod h1:9S0Srkf3c13FelsOyt5OyG3ZZDq9OJDA4IILavrt72Y=
+github.com/theupdateframework/go-tuf/v2 v2.4.1 h1:K6ewW064rKZCPkRo1W/CTbTtm/+IB4+coG1iNURAGCw=
+github.com/theupdateframework/go-tuf/v2 v2.4.1/go.mod h1:Nex2enPVYDFCklrnbTzl3OVwD7fgIAj0J5++z/rvCj8=
 github.com/tink-crypto/tink-go-awskms/v2 v2.1.0 h1:N9UxlsOzu5mttdjhxkDLbzwtEecuXmlxZVo/ds7JKJI=
 github.com/tink-crypto/tink-go-awskms/v2 v2.1.0/go.mod h1:PxSp9GlOkKL9rlybW804uspnHuO9nbD98V/fDX4uSis=
 github.com/tink-crypto/tink-go-gcpkms/v2 v2.2.0 h1:3B9i6XBXNTRspfkTC0asN5W0K6GhOSgcujNiECNRNb0=
diff --git a/skills/commands/install/install.go b/skills/commands/install/install.go
@@ -240,6 +240,11 @@ func unzipFile(src, dest string) error {
 }
 
 func extractFile(f *zip.File, dest string) error {
+	// Reject paths containing traversal sequences as defense-in-depth
+	if strings.Contains(dest, "..") {
+		return fmt.Errorf("illegal file path: %s", dest)
+	}
+
 	rc, err := f.Open()
 	if err != nil {
 		return err
@@ -248,8 +253,9 @@ func extractFile(f *zip.File, dest string) error {
 		_ = rc.Close()
 	}()
 
-	// #nosec G304 -- dest is validated above to be under the extraction directory
-	outFile, err := os.OpenFile(dest, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
+	cleanDest := filepath.Clean(dest)
+	// #nosec G304 -- dest is validated in unzipFile and above to be under the extraction directory
+	outFile, err := os.OpenFile(cleanDest, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
 	if err != nil {
 		return err
 	}
diff --git a/skills/commands/publish/publish.go b/skills/commands/publish/publish.go
@@ -109,6 +109,10 @@ func (pc *PublishCommand) Run() error {
 		}
 	}
 
+	if err := ValidateVersion(version); err != nil {
+		return err
+	}
+
 	version, err = pc.resolveVersionCollision(slug, version)
 	if err != nil {
 		return err
@@ -235,6 +239,9 @@ func (pc *PublishCommand) resolveVersionCollision(slug, version string) (string,
 		if newVersion == "" {
 			return "", fmt.Errorf("no version provided, aborting")
 		}
+		if err := ValidateVersion(newVersion); err != nil {
+			return "", err
+		}
 		return pc.resolveVersionCollision(slug, newVersion)
 	default:
 		return "", fmt.Errorf("publish aborted by user")
diff --git a/skills/commands/publish/publish_test.go b/skills/commands/publish/publish_test.go
@@ -225,6 +225,42 @@ func TestValidateSlug(t *testing.T) {
 	assert.Error(t, ValidateSlug(""))
 }
 
+func TestValidateVersion(t *testing.T) {
+	tests := []struct {
+		version string
+		wantErr bool
+	}{
+		{"1.0.0", false},
+		{"0.1.0", false},
+		{"2.3.4-beta", false},
+		{"1.0.0-rc.1", false},
+		{"1.0.0+build.123", false},
+		{"v1.0.0", false},
+
+		{"", true},
+		{"../etc/passwd", true},
+		{"1.0.0/../../etc", true},
+		{"1.0.0\\..\\etc", true},
+		{"..", true},
+		{"valid..version", true},
+		{"has space", true},
+		{"has\x00null", true},
+		{"/leading-slash", true},
+		{"-leading-hyphen", true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.version, func(t *testing.T) {
+			err := ValidateVersion(tt.version)
+			if tt.wantErr {
+				assert.Error(t, err, "expected error for version %q", tt.version)
+			} else {
+				assert.NoError(t, err, "expected no error for version %q", tt.version)
+			}
+		})
+	}
+}
+
 func TestGeneratePredicateFile(t *testing.T) {
 	dir := t.TempDir()
 	path, err := GeneratePredicateFile(dir, "test-skill", "1.0.0")
diff --git a/skills/commands/publish/skillmeta.go b/skills/commands/publish/skillmeta.go
@@ -10,6 +10,10 @@ import (
 
 var slugRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9-]*$`)
 
+// versionSafeRegex permits semver-like strings: digits, dots, hyphens, plus, and alphanumerics.
+// It rejects path separators, "..", null bytes, and other characters that could cause path traversal.
+var versionSafeRegex = regexp.MustCompile(`^[a-zA-Z0-9][a-zA-Z0-9.\-+]*$`)
+
 type SkillMeta struct {
 	Name        string
 	Description string
@@ -142,3 +146,18 @@ func ValidateSlug(slug string) error {
 	}
 	return nil
 }
+
+// ValidateVersion checks that a version string is safe for use in file paths.
+// It rejects path traversal sequences and characters that could escape the intended directory.
+func ValidateVersion(version string) error {
+	if version == "" {
+		return fmt.Errorf("version must not be empty")
+	}
+	if strings.Contains(version, "..") {
+		return fmt.Errorf("invalid version '%s': must not contain '..'", version)
+	}
+	if !versionSafeRegex.MatchString(version) {
+		return fmt.Errorf("invalid version '%s': must contain only alphanumeric characters, dots, hyphens, and plus signs", version)
+	}
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -109,6 +109,10 @@ func (pc *PublishCommand) Run() error {`
`109`	`109`	`}`
`110`	`110`	`}`
`111`	`111`
	`112`	`+ if err := ValidateVersion(version); err != nil {`
	`113`	`+ return err`
	`114`	`+ }`
	`115`	`+`
`112`	`116`	`version, err = pc.resolveVersionCollision(slug, version)`
`113`	`117`	`if err != nil {`
`114`	`118`	`return err`
`@@ -235,6 +239,9 @@ func (pc *PublishCommand) resolveVersionCollision(slug, version string) (string,`
`235`	`239`	`if newVersion == "" {`
`236`	`240`	`return "", fmt.Errorf("no version provided, aborting")`
`237`	`241`	`}`
	`242`	`+ if err := ValidateVersion(newVersion); err != nil {`
	`243`	`+ return "", err`
	`244`	`+ }`
`238`	`245`	`return pc.resolveVersionCollision(slug, newVersion)`
`239`	`246`	`default:`
`240`	`247`	`return "", fmt.Errorf("publish aborted by user")`