diff --git a/go.mod b/go.mod index 8d7df720a..860df68e1 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.22 toolchain go1.22.5 require ( - github.com/bmatcuk/doublestar/v4 v4.7.1 + github.com/bmatcuk/doublestar/v4 v4.8.0 github.com/go-git/go-git/v5 v5.13.1 github.com/hashicorp/go-retryablehttp v0.7.7 github.com/iancoleman/strcase v0.3.0 diff --git a/go.sum b/go.sum index 197fe6b2f..087d53c9c 100644 --- a/go.sum +++ b/go.sum @@ -44,8 +44,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/bmatcuk/doublestar/v4 v4.7.1 h1:fdDeAqgT47acgwd9bd9HxJRDmc9UAmPpc+2m0CXv75Q= -github.com/bmatcuk/doublestar/v4 v4.7.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/bmatcuk/doublestar/v4 v4.8.0 h1:DSXtrypQddoug1459viM9X9D3dp1Z7993fw36I2kNcQ= +github.com/bmatcuk/doublestar/v4 v4.8.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= diff --git a/vendor/github.com/bmatcuk/doublestar/v4/README.md b/vendor/github.com/bmatcuk/doublestar/v4/README.md index 21929a954..2e88266ef 100644 --- a/vendor/github.com/bmatcuk/doublestar/v4/README.md +++ b/vendor/github.com/bmatcuk/doublestar/v4/README.md @@ -319,6 +319,9 @@ If SplitPattern cannot find somewhere to split the pattern (for example, `meta*/**`), it will return "." and the unaltered pattern (`meta*/**` in this example). +Note that SplitPattern will also unescape any meta characters in the returned +base string, so that it can be passed straight to os.DirFS(). + Of course, it is your responsibility to decide if the returned base path is "safe" in the context of your application. Perhaps you could use Match() to validate against a list of approved base directories? @@ -414,8 +417,6 @@ ever since. In that time, it has grown into one of the most popular globbing libraries in the Go ecosystem. So, if **doublestar** is a useful library in your project, consider [sponsoring] my work! I'd really appreciate it! -[![MASV](../sponsors/MASV.png?raw=true)](https://massive.io/) - Thanks for sponsoring me! ## License diff --git a/vendor/github.com/bmatcuk/doublestar/v4/glob.go b/vendor/github.com/bmatcuk/doublestar/v4/glob.go index 519601b15..5d8b75ede 100644 --- a/vendor/github.com/bmatcuk/doublestar/v4/glob.go +++ b/vendor/github.com/bmatcuk/doublestar/v4/glob.go @@ -29,7 +29,6 @@ import ( // // Note: users should _not_ count on the returned error, // doublestar.ErrBadPattern, being equal to path.ErrBadPattern. -// func Glob(fsys fs.FS, pattern string, opts ...GlobOption) ([]string, error) { if !ValidatePattern(pattern) { return nil, ErrBadPattern @@ -107,7 +106,7 @@ func (g *glob) doGlob(fsys fs.FS, pattern string, m []string, firstSegment, befo // characters. They would be equal if they are both -1, which means `dir` // will be ".", and we know that doesn't have meta characters either. if splitIdx <= patternStart { - return g.globDir(fsys, dir, pattern, matches, firstSegment, beforeMeta) + return g.globDir(fsys, unescapeMeta(dir), pattern, matches, firstSegment, beforeMeta) } var dirs []string diff --git a/vendor/github.com/bmatcuk/doublestar/v4/globwalk.go b/vendor/github.com/bmatcuk/doublestar/v4/globwalk.go index 84e764f0e..3c77c858c 100644 --- a/vendor/github.com/bmatcuk/doublestar/v4/globwalk.go +++ b/vendor/github.com/bmatcuk/doublestar/v4/globwalk.go @@ -112,7 +112,7 @@ func (g *glob) doGlobWalk(fsys fs.FS, pattern string, firstSegment, beforeMeta b // characters. They would be equal if they are both -1, which means `dir` // will be ".", and we know that doesn't have meta characters either. if splitIdx <= patternStart { - return g.globDirWalk(fsys, dir, pattern, firstSegment, beforeMeta, fn) + return g.globDirWalk(fsys, unescapeMeta(dir), pattern, firstSegment, beforeMeta, fn) } return g.doGlobWalk(fsys, dir, false, beforeMeta, func(p string, d fs.DirEntry) error { diff --git a/vendor/github.com/bmatcuk/doublestar/v4/utils.go b/vendor/github.com/bmatcuk/doublestar/v4/utils.go index 6b8df9a38..7831e5c3d 100644 --- a/vendor/github.com/bmatcuk/doublestar/v4/utils.go +++ b/vendor/github.com/bmatcuk/doublestar/v4/utils.go @@ -29,6 +29,9 @@ import ( // `meta*/**`), it will return "." and the unaltered pattern (`meta*/**` in // this example). // +// Note that SplitPattern will also unescape any meta characters in the +// returned base string, so that it can be passed straight to os.DirFS(). +// // Of course, it is your responsibility to decide if the returned base path is // "safe" in the context of your application. Perhaps you could use Match() to // validate against a list of approved base directories? @@ -52,7 +55,7 @@ func SplitPattern(p string) (base, pattern string) { if splitIdx == 0 { return "/", p[1:] } else if splitIdx > 0 { - return p[:splitIdx], p[splitIdx+1:] + return unescapeMeta(p[:splitIdx]), p[splitIdx+1:] } return diff --git a/vendor/modules.txt b/vendor/modules.txt index 689b4d6a0..02feb3370 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -32,7 +32,7 @@ github.com/ProtonMail/go-crypto/openpgp/packet github.com/ProtonMail/go-crypto/openpgp/s2k github.com/ProtonMail/go-crypto/openpgp/x25519 github.com/ProtonMail/go-crypto/openpgp/x448 -# github.com/bmatcuk/doublestar/v4 v4.7.1 +# github.com/bmatcuk/doublestar/v4 v4.8.0 ## explicit; go 1.16 github.com/bmatcuk/doublestar/v4 # github.com/cloudflare/circl v1.3.7