Merge pull request #5136 from sensu/go1.26-update

Go1.26 update

Author: rakibhossainctr

.appveyor.yml

@@ -7,7 +7,7 @@ branches:
     - /release\/[0-9.]+/
 
 image:
-  - Visual Studio 2015
+  - Visual Studio 2022
   # - Visual Studio 2017
 
 cache:
@@ -16,7 +16,7 @@ cache:
 environment:
   GOPATH: c:\gopath
   GOROOT: c:\Program Files\Go
-  GOVERSION: 1.24.3
+  GOVERSION: 1.26.0
   GO111MODULE: 'on'
   GOPROXY: 'https://proxy.golang.org'
 

.circleci/config.yml

@@ -6,7 +6,7 @@ orbs:
 parameters:
   go_version:
     type: string
-    default: "1.24.3"
+    default: "1.26.0"
 
 sensu_go_build_env: &sensu_go_build_env
   docker:

.github/workflows/static-check.yml

@@ -13,18 +13,18 @@ jobs:
     name: staticcheck (project)
     runs-on: ubuntu-latest
     env:
-      GO_VERSION: 1.23.4
+      GO_VERSION: 1.26.0
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 1
-      - uses: WillAbides/setup-go-faster@v1.14.0
+      - uses: actions/setup-go@v5
         with:
-          go-version: "1.24.x"
+          go-version: "1.26.x"
       - uses: dominikh/staticcheck-action@v1.3.1
         with:
           version: "2025.1.1"
           install-go: false
-          cache-key: "1.24.x"
+          cache-key: "1.26.x"
 env:
-  GO_VERSION: 1.24.3
+  GO_VERSION: 1.26.0

agent/agent.go

@@ -10,7 +10,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"math/rand"
 	"net/http"
 	"net/url"
@@ -273,7 +272,7 @@ func NewAgentContext(ctx context.Context, config *Config) (*Agent, error) {
 		return nil, fmt.Errorf("error creating agent: %s", err)
 	}
 
-	allowList, err := readAllowList(config.AllowList, ioutil.ReadFile)
+	allowList, err := readAllowList(config.AllowList, os.ReadFile)
 	if err != nil {
 		return nil, err
 	}

agent/cmd/start.go

@@ -3,7 +3,7 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"os"
 	"path/filepath"
 	"strings"
@@ -476,7 +476,7 @@ func flagSet() *pflag.FlagSet {
 	flagSet.Duration(flagMaxSessionLength, viper.GetDuration(flagMaxSessionLength), "maximum amount of time after which the agent will reconnect to one of the configured backends (no maximum by default)")
 	flagSet.Bool(flagStripNetworks, viper.GetBool(flagStripNetworks), "do not include Network info in agent entity state")
 
-	flagSet.SetOutput(ioutil.Discard)
+	flagSet.SetOutput(io.Discard)
 
 	return flagSet
 }

agent/cmd/start_test.go

@@ -2,13 +2,12 @@ package cmd
 
 import (
 	"fmt"
-	"io/ioutil"
 	"os"
 	"reflect"
 	"testing"
 
-	"github.com/sensu/sensu-go/agent"
 	corev2 "github.com/sensu/core/v2"
+	"github.com/sensu/sensu-go/agent"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
@@ -130,7 +129,7 @@ func TestNewAgentConfig_AgentManagedEntityFlag(t *testing.T) {
 func tempConfig(t *testing.T, content string) *os.File {
 	t.Helper()
 
-	file, err := ioutil.TempFile(os.TempDir(), "sensu-agent-")
+	file, err := os.CreateTemp(os.TempDir(), "sensu-agent-")
 	if err != nil {
 		t.Fatalf("error creating tmpFile %q: %s", file.Name(), err)
 	}

agent/debug_test.go

@@ -4,12 +4,12 @@
 package agent
 
 import (
-	"io/ioutil"
+	"io"
 
 	"github.com/sirupsen/logrus"
 )
 
 func init() {
 	// Silence logger
-	logrus.SetOutput(ioutil.Discard)
+	logrus.SetOutput(io.Discard)
 }

asset/boltdb_manager_test.go

@@ -5,7 +5,6 @@ import (
 	"encoding/json"
 	"errors"
 	"io"
-	"io/ioutil"
 	"os"
 	"testing"
 
@@ -20,7 +19,7 @@ type mockFetcher struct {
 
 func (m *mockFetcher) Fetch(context.Context, string, map[string]string) (*os.File, error) {
 	if m.pass {
-		return ioutil.TempFile(os.TempDir(), "boltdb_manager_test_fetcher")
+		return os.CreateTemp(os.TempDir(), "boltdb_manager_test_fetcher")
 	}
 
 	return nil, errors.New("")
@@ -52,7 +51,7 @@ func (m *mockExpander) Expand(f io.ReadSeeker, path string) error {
 func TestGetExistingAsset(t *testing.T) {
 	t.Parallel()
 
-	tmpFile, err := ioutil.TempFile(os.TempDir(), "asset_test_get_existing_asset.db")
+	tmpFile, err := os.CreateTemp(os.TempDir(), "asset_test_get_existing_asset.db")
 	if err != nil {
 		t.Fatalf("unable to create test boltdb file: %v", err)
 	}
@@ -110,7 +109,7 @@ func TestGetExistingAsset(t *testing.T) {
 func TestGetNonexistentAsset(t *testing.T) {
 	t.Parallel()
 
-	tmpFile, err := ioutil.TempFile(os.TempDir(), "asset_test_get_nonexistent_asset.db")
+	tmpFile, err := os.CreateTemp(os.TempDir(), "asset_test_get_nonexistent_asset.db")
 	if err != nil {
 		t.Fatalf("unable to create test boltdb file: %v", err)
 	}
@@ -147,7 +146,7 @@ func TestGetNonexistentAsset(t *testing.T) {
 func TestGetInvalidAsset(t *testing.T) {
 	t.Parallel()
 
-	tmpFile, err := ioutil.TempFile(os.TempDir(), "asset_test_get_invalid_asset.db")
+	tmpFile, err := os.CreateTemp(os.TempDir(), "asset_test_get_invalid_asset.db")
 	if err != nil {
 		t.Fatalf("unable to create test boltdb file: %v", err)
 	}
@@ -185,7 +184,7 @@ func TestGetInvalidAsset(t *testing.T) {
 func TestFailedExpand(t *testing.T) {
 	t.Parallel()
 
-	tmpFile, err := ioutil.TempFile(os.TempDir(), "asset_test_get_invalid_asset.db")
+	tmpFile, err := os.CreateTemp(os.TempDir(), "asset_test_get_invalid_asset.db")
 	if err != nil {
 		t.Fatalf("unable to create test boltdb file: %v", err)
 	}
@@ -224,7 +223,7 @@ func TestFailedExpand(t *testing.T) {
 func TestSuccessfulGetAsset(t *testing.T) {
 	t.Parallel()
 
-	tmpFile, err := ioutil.TempFile(os.TempDir(), "asset_test_get_invalid_asset.db")
+	tmpFile, err := os.CreateTemp(os.TempDir(), "asset_test_get_invalid_asset.db")
 	if err != nil {
 		t.Fatalf("unable to create test boltdb file: %v", err)
 	}

asset/expander.go

@@ -1,11 +1,14 @@
 package asset
 
 import (
+	"archive/tar"
+	"compress/gzip"
 	"errors"
 	"fmt"
 	"io"
-
-	archiver "github.com/mholt/archiver/v3"
+	"os"
+	"path/filepath"
+	"strings"
 
 	filetype "gopkg.in/h2non/filetype.v1"
 	filetype_types "gopkg.in/h2non/filetype.v1/types"
@@ -45,32 +48,105 @@ func (a *archiveExpander) Expand(archive io.ReadSeeker, targetDirectory string)
 		return err
 	}
 
-	var ar archiver.Unarchiver
+	namer, ok := archive.(namer)
+	if !ok {
+		return errors.New("couldn't get path to archive")
+	}
 
 	// If the file is not an archive, exit with an error.
 	switch ft.MIME.Value {
 	case "application/x-tar":
-		ar = archiver.NewTar()
+		if err := extractTar(namer.Name(), targetDirectory); err != nil {
+			return fmt.Errorf("error extracting asset: %s", err)
+		}
 	case "application/gzip":
-		ar = archiver.NewTarGz()
-
+		if err := extractTarGz(namer.Name(), targetDirectory); err != nil {
+			return fmt.Errorf("error extracting asset: %s", err)
+		}
 	default:
 		return fmt.Errorf(
 			"given file of format '%s' does not appear valid",
 			ft.MIME.Value,
 		)
 	}
 
-	namer, ok := archive.(namer)
-	if !ok {
-		return errors.New("couldn't get path to archive")
+	return nil
+}
+
+// extractTar extracts a tar archive at srcPath into destDir.
+func extractTar(srcPath, destDir string) error {
+	f, err := os.Open(srcPath)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+	return untar(f, destDir)
+}
+
+// extractTarGz extracts a gzip-compressed tar archive at srcPath into destDir.
+func extractTarGz(srcPath, destDir string) error {
+	f, err := os.Open(srcPath)
+	if err != nil {
+		return err
 	}
+	defer f.Close()
 
-	// Extract the archive to the desired path
-	if err := ar.Unarchive(namer.Name(), targetDirectory); err != nil {
-		return fmt.Errorf("error extracting asset: %s", err)
+	gr, err := gzip.NewReader(f)
+	if err != nil {
+		return err
 	}
+	defer gr.Close()
 
+	return untar(gr, destDir)
+}
+
+// untar reads a tar stream and extracts files into destDir.
+func untar(r io.Reader, destDir string) error {
+	tr := tar.NewReader(r)
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+
+		// Sanitize the name to prevent path traversal.
+		cleanName := filepath.Clean(hdr.Name)
+		if strings.HasPrefix(cleanName, "..") {
+			return fmt.Errorf("invalid file path in archive: %s", hdr.Name)
+		}
+
+		target := filepath.Join(destDir, cleanName)
+
+		switch hdr.Typeflag {
+		case tar.TypeDir:
+			if err := os.MkdirAll(target, os.FileMode(hdr.Mode)); err != nil {
+				return err
+			}
+		case tar.TypeReg:
+			if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+				return err
+			}
+			outFile, err := os.OpenFile(target, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, os.FileMode(hdr.Mode))
+			if err != nil {
+				return err
+			}
+			if _, err := io.Copy(outFile, tr); err != nil {
+				outFile.Close()
+				return err
+			}
+			outFile.Close()
+		case tar.TypeSymlink:
+			if err := os.MkdirAll(filepath.Dir(target), 0755); err != nil {
+				return err
+			}
+			if err := os.Symlink(hdr.Linkname, target); err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }
 

asset/fetcher.go

@@ -7,7 +7,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"strings"
@@ -47,7 +46,7 @@ func httpGet(ctx context.Context, path, trustedCAFile string, headers map[string
 			rootCAs = x509.NewCertPool()
 		}
 
-		certs, err := ioutil.ReadFile(trustedCAFile)
+		certs, err := os.ReadFile(trustedCAFile)
 		if err != nil {
 			logger.WithError(err).Errorf("failed to read trusted CA file: %s", trustedCAFile)
 		}