Fix go lint errors

divyansh42 · pramodbindal · commit 4cdb9fad1f66 · 2026-03-03T13:53:02.000+05:30
Signed-off-by: divyansh42 &lt;diagrawa@redhat.com&gt;
diff --git a/internal/provider/blob/blob.go b/internal/provider/blob/blob.go
@@ -6,6 +6,7 @@ import (
 	"log"
 	"net/url"
 	"os"
+	"strings"
 
 	"github.com/openshift-pipelines/tekton-caches/internal/tar"
 	"gocloud.dev/blob"
@@ -41,8 +42,14 @@ func init() {
 	queryParams = os.Getenv("BLOB_QUERY_PARAMS")
 }
 
+// sanitizeLog strips newline/carriage-return characters from s to prevent log injection.
+func sanitizeLog(s string) string {
+	s = strings.ReplaceAll(s, "\n", "")
+	return strings.ReplaceAll(s, "\r", "")
+}
+
 func Fetch(ctx context.Context, url url.URL, folder string) error {
-	log.Printf("Downloading cache from %s to %s", url.String(), folder)
+	log.Printf("Downloading cache from %s to %s", sanitizeLog(url.String()), sanitizeLog(folder)) //nolint:gosec
 	file, err := os.CreateTemp("", cacheFile)
 	if err != nil {
 		log.Printf("error creating tar file: %s", err)
@@ -83,7 +90,7 @@ func Fetch(ctx context.Context, url url.URL, folder string) error {
 }
 
 func Upload(ctx context.Context, url url.URL, folder string) error {
-	log.Printf("Uploading cache to %s from %s", url.String(), folder)
+	log.Printf("Uploading cache to %s from %s", sanitizeLog(url.String()), sanitizeLog(folder)) //nolint:gosec
 	file, err := os.CreateTemp("", cacheFile)
 	if err != nil {
 		return err
diff --git a/internal/tar/file-utils.go b/internal/tar/file-utils.go
@@ -1,4 +1,4 @@
-package tar
+package tar //nolint:revive
 
 import (
 	"archive/tar"
@@ -88,8 +88,14 @@ func Compress(source, target string) error {
 	return nil
 }
 
+// sanitizeLog strips newline/carriage-return characters from s to prevent log injection.
+func sanitizeLog(s string) string {
+	s = strings.ReplaceAll(s, "\n", "")
+	return strings.ReplaceAll(s, "\r", "")
+}
+
 func ExtractTarGz(file *os.File, targetDir string) error {
-	log.Printf("Extracting tar.gz...%s", file.Name())
+	log.Printf("Extracting tar.gz...%s", sanitizeLog(file.Name())) //nolint:gosec
 	gz, err := gzip.NewReader(file)
 	if err != nil {
 		return fmt.Errorf("error creating gzip reader: %w", err)
@@ -101,7 +107,7 @@ func ExtractTarGz(file *os.File, targetDir string) error {
 }
 
 func ExtractTar(file *os.File, targetDir string) error {
-	log.Printf("Extracting tar...  %s", file.Name())
+	log.Printf("Extracting tar...  %s", sanitizeLog(file.Name())) //nolint:gosec
 	return extract(tar.NewReader(file), targetDir)
 }
 
@@ -129,16 +135,16 @@ func extract(tr *tar.Reader, targetDir string) error {
 
 		switch header.Typeflag {
 		case tar.TypeDir:
-			// Ensure directory exists
-			if err := os.MkdirAll(path, os.ModePerm); err != nil {
+			// Ensure directory exists; path is validated by safePath above.
+			if err := os.MkdirAll(path, os.ModePerm); err != nil { //nolint:gosec
 				return err
 			}
 			// Change the directory permission so that all users can create/update files inside.
-			if err := os.Chmod(path, os.ModePerm); path != baseDir && err != nil {
+			if err := os.Chmod(path, os.ModePerm); path != baseDir && err != nil { //nolint:gosec
 				return fmt.Errorf("failed to change permissions of %s: %w", path, err)
 			}
 		case tar.TypeReg:
-			outFile, err := os.Create(path)
+			outFile, err := os.Create(path) //nolint:gosec
 			if err != nil {
 				return fmt.Errorf("error while creating file %s: %w", path, err)
 			}
@@ -171,9 +177,10 @@ func extract(tr *tar.Reader, targetDir string) error {
 }
 
 func safePath(basePath, targetPath string) (string, error) {
-	if strings.Contains(targetPath, "..") {
-		return "", fmt.Errorf("target path contains '..': %s", targetPath)
+	combinedPath := filepath.Clean(filepath.Join(basePath, targetPath))
+	rel, err := filepath.Rel(basePath, combinedPath)
+	if err != nil || rel == ".." || strings.HasPrefix(rel, ".."+string(filepath.Separator)) {
+		return "", fmt.Errorf("target path %q escapes base directory", targetPath)
 	}
-	combinedPath := filepath.Join(basePath, targetPath)
 	return combinedPath, nil
 }
diff --git a/internal/tar/file_utils_test.go b/internal/tar/file_utils_test.go
@@ -1,9 +1,11 @@
-package tar
+package tar_test
 
 import (
 	"os"
 	"path/filepath"
 	"testing"
+
+	cachetar "github.com/openshift-pipelines/tekton-caches/internal/tar"
 )
 
 func TestComressAndExtract(t *testing.T) {
@@ -29,7 +31,7 @@ func TestComressAndExtract(t *testing.T) {
 
 	// Test Compress
 	tarFile := filepath.Join(tempDir, "test.tar.gz")
-	err = Compress(testDir, tarFile)
+	err = cachetar.Compress(testDir, tarFile)
 	if err != nil {
 		t.Fatalf("Compress failed: %v", err)
 	}
@@ -52,7 +54,7 @@ func TestComressAndExtract(t *testing.T) {
 	}
 	defer tarFileHandle.Close()
 
-	err = ExtractTarGz(tarFileHandle, extractDir)
+	err = cachetar.ExtractTarGz(tarFileHandle, extractDir)
 	if err != nil {
 		t.Fatalf("ExtractTarGz failed: %v", err)
 	}
