diff --git a/go.mod b/go.mod index 763ed1eb..454595d1 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.22.7 require ( github.com/Defacto2/archive v1.0.3 github.com/Defacto2/helper v1.1.3 - github.com/Defacto2/magicnumber v1.0.2 + github.com/Defacto2/magicnumber v1.0.3 github.com/Defacto2/releaser v1.0.4 github.com/caarlos0/env/v11 v11.2.2 github.com/carlmjohnson/versioninfo v0.22.5 diff --git a/go.sum b/go.sum index c5b6b2b7..b8cf9017 100644 --- a/go.sum +++ b/go.sum @@ -73,8 +73,8 @@ github.com/Defacto2/archive v1.0.3 h1:7iidbFf3yBJ0e2XWsx/uhB4ciWysE5nMejzRCQSgop github.com/Defacto2/archive v1.0.3/go.mod h1:1nM/bBCir4nz1t/HFYnZk9tXc/yaWzJTEu1+CDoGyUE= github.com/Defacto2/helper v1.1.3 h1:BS7PqOR31AtXC+BTKM9oL2OE+NLrdLqd8xyBxwAsCps= github.com/Defacto2/helper v1.1.3/go.mod h1:IikMmXvNy3uOcLk4/cEi9mb+xcx8AHPsSmVGd8SKpB0= -github.com/Defacto2/magicnumber v1.0.2 h1:zElw+GCZiS0n4xta6g7WDp9ovx1RZKRYL+q9zj0l4dk= -github.com/Defacto2/magicnumber v1.0.2/go.mod h1:U64FNRfNyv5tBE6jPU00ortSbrIAVO5V34tZFwaeA3s= +github.com/Defacto2/magicnumber v1.0.3 h1:XOQA3Zsx7C78bultofaSdeUuw8busZx7YnkHly6PGbU= +github.com/Defacto2/magicnumber v1.0.3/go.mod h1:U64FNRfNyv5tBE6jPU00ortSbrIAVO5V34tZFwaeA3s= github.com/Defacto2/releaser v1.0.4 h1:dM7epo3Rk+l2NAH4/dMHzo9QCIC6VejhptlhPUtfg3U= github.com/Defacto2/releaser v1.0.4/go.mod h1:Jt9HqJDl4ol1oKFb2efvO+8d8buFwSYfn/Trh7O3oLw= github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU= diff --git a/internal/command/command.go b/internal/command/command.go index 9add37c5..04164690 100644 --- a/internal/command/command.go +++ b/internal/command/command.go @@ -43,6 +43,7 @@ var ( ErrIsDir = errors.New("file is a directory") ErrIsFile = errors.New("directory path points to a file") ErrMatch = errors.New("no match value is present") + ErrPath = errors.New("path is not permitted") ErrVers = errors.New("version mismatch") ErrZap = errors.New("zap logger instance is nil") ) diff --git a/internal/command/images.go b/internal/command/images.go index f5b3404c..bb27b473 100644 --- a/internal/command/images.go +++ b/internal/command/images.go @@ -12,6 +12,7 @@ import ( "os" "path/filepath" "slices" + "strings" "sync" "github.com/Defacto2/helper" @@ -308,18 +309,21 @@ func (dir Dirs) PictureImager(debug *zap.SugaredLogger, src, unid string) error // can be used by the ANSILOVE command to create a PNG image. 80 columns and 29 rows are // works well with a 400x400 pixel thumbnail. func TextCrop(src, dst string) error { + if !validDst(dst) { + return fmt.Errorf("text crop dst %w", ErrPath) + } srcFile, err := os.Open(src) if err != nil { - return fmt.Errorf("write 80x29 open %w", err) + return fmt.Errorf("text crop open %w", err) } defer srcFile.Close() - if magicnumber.Ansi(srcFile) { + if magicnumber.CSI(srcFile) { return nil } dstFile, err := os.Create(dst) if err != nil { - return fmt.Errorf("write 80x29 create %w", err) + return fmt.Errorf("text crop create %w", err) } defer dstFile.Close() @@ -348,7 +352,7 @@ func TextCrop(src, dst string) error { } _, err := writer.WriteString(line + "\n") if err != nil { - return fmt.Errorf("write 80x29 writer string %w", err) + return fmt.Errorf("text crop writer string %w", err) } // intentionally skip the first line in a file // as sometimes these contain non-printable characters and control codes. @@ -359,11 +363,20 @@ func TextCrop(src, dst string) error { rowCount++ } if err := scanner.Err(); err != nil { - return fmt.Errorf("write 80x29 scanner %w", err) + return fmt.Errorf("text crop scanner %w", err) } return nil } +func validDst(name string) bool { + tempDir := os.TempDir() + if absPath, err := filepath.Abs(filepath.Join(tempDir, name)); err != nil || + !strings.HasPrefix(absPath, tempDir) { + return false + } + return true +} + func textCropper(src, unid string) (string, error) { path, err := helper.MkContent(src + "-textimager") if err != nil {