From 272f9b5c9fe14965f80cc65a2d8fa2ee09bf4cd3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 28 Apr 2023 03:07:43 +0000 Subject: [PATCH 1/5] Bump github.com/essentialkaos/ek/v12 from 12.64.1 to 12.65.0 Bumps [github.com/essentialkaos/ek/v12](https://github.com/essentialkaos/ek) from 12.64.1 to 12.65.0. - [Release notes](https://github.com/essentialkaos/ek/releases) - [Changelog](https://github.com/essentialkaos/ek/blob/master/CHANGELOG.md) - [Commits](https://github.com/essentialkaos/ek/compare/v12.64.1...v12.65.0) --- updated-dependencies: - dependency-name: github.com/essentialkaos/ek/v12 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 4294ed4..edf001a 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.19 require ( github.com/cyphar/filepath-securejoin v0.2.3 github.com/essentialkaos/check v1.4.0 - github.com/essentialkaos/ek/v12 v12.64.1 + github.com/essentialkaos/ek/v12 v12.65.0 github.com/klauspost/compress v1.16.5 github.com/pierrec/lz4/v4 v4.1.17 github.com/ulikunitz/xz v0.5.11 diff --git a/go.sum b/go.sum index 187ce23..6be8980 100644 --- a/go.sum +++ b/go.sum @@ -3,8 +3,8 @@ github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/essentialkaos/check v1.4.0 h1:kWdFxu9odCxUqo1NNFNJmguGrDHgwi3A8daXX1nkuKk= github.com/essentialkaos/check v1.4.0/go.mod h1:LMKPZ2H+9PXe7Y2gEoKyVAwUqXVgx7KtgibfsHJPus0= -github.com/essentialkaos/ek/v12 v12.64.1 h1:XjIF4GHCgVIY0S0KEz8g1OrNrRoHGU+vAUXSYIKNIbI= -github.com/essentialkaos/ek/v12 v12.64.1/go.mod h1:PFJckNu+x4mHqsjndUeYRDPgDgvZEgcjpy1RpCYtx4g= +github.com/essentialkaos/ek/v12 v12.65.0 h1:OYs8HrVxzzG8CYW9s2wc6Ihfg+ZAnMGB94xzVEC+NMU= +github.com/essentialkaos/ek/v12 v12.65.0/go.mod h1:PFJckNu+x4mHqsjndUeYRDPgDgvZEgcjpy1RpCYtx4g= github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= From a56c20b9951a49280e0a99242aafc5c45109648b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 May 2023 03:02:00 +0000 Subject: [PATCH 2/5] Bump github.com/essentialkaos/ek/v12 from 12.65.0 to 12.66.0 Bumps [github.com/essentialkaos/ek/v12](https://github.com/essentialkaos/ek) from 12.65.0 to 12.66.0. - [Release notes](https://github.com/essentialkaos/ek/releases) - [Changelog](https://github.com/essentialkaos/ek/blob/master/CHANGELOG.md) - [Commits](https://github.com/essentialkaos/ek/compare/v12.65.0...v12.66.0) --- updated-dependencies: - dependency-name: github.com/essentialkaos/ek/v12 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index edf001a..8449997 100644 --- a/go.mod +++ b/go.mod @@ -5,7 +5,7 @@ go 1.19 require ( github.com/cyphar/filepath-securejoin v0.2.3 github.com/essentialkaos/check v1.4.0 - github.com/essentialkaos/ek/v12 v12.65.0 + github.com/essentialkaos/ek/v12 v12.66.0 github.com/klauspost/compress v1.16.5 github.com/pierrec/lz4/v4 v4.1.17 github.com/ulikunitz/xz v0.5.11 diff --git a/go.sum b/go.sum index 6be8980..59bb20d 100644 --- a/go.sum +++ b/go.sum @@ -3,8 +3,8 @@ github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/essentialkaos/check v1.4.0 h1:kWdFxu9odCxUqo1NNFNJmguGrDHgwi3A8daXX1nkuKk= github.com/essentialkaos/check v1.4.0/go.mod h1:LMKPZ2H+9PXe7Y2gEoKyVAwUqXVgx7KtgibfsHJPus0= -github.com/essentialkaos/ek/v12 v12.65.0 h1:OYs8HrVxzzG8CYW9s2wc6Ihfg+ZAnMGB94xzVEC+NMU= -github.com/essentialkaos/ek/v12 v12.65.0/go.mod h1:PFJckNu+x4mHqsjndUeYRDPgDgvZEgcjpy1RpCYtx4g= +github.com/essentialkaos/ek/v12 v12.66.0 h1:g/eg9IPKFDYHt0v5qB3b9pBeSSZ+N7gJdxdOLXIPFLA= +github.com/essentialkaos/ek/v12 v12.66.0/go.mod h1:PFJckNu+x4mHqsjndUeYRDPgDgvZEgcjpy1RpCYtx4g= github.com/klauspost/compress v1.16.5 h1:IFV2oUNUzZaz+XyusxpLzpzS8Pt5rh0Z16For/djlyI= github.com/klauspost/compress v1.16.5/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= From 2f9cfe12674eb50ac7bf187af4b19b8d6d5d93fb Mon Sep 17 00:00:00 2001 From: Anton Novojilov Date: Sat, 6 May 2023 02:14:58 +0300 Subject: [PATCH 3/5] Code refactoring --- Makefile | 8 +++--- bz2/bz2.go | 4 +-- go.mod | 1 - go.sum | 2 -- gz/gz.go | 4 +-- lz4/lz4.go | 4 +-- tar/tar.go | 6 ++--- utils/utils.go | 57 +++++++++++++++++++++++++++++++++++++++++ utils/utils_test.go | 62 +++++++++++++++++++++++++++++++++++++++++++++ xz/xz.go | 4 +-- zip/zip.go | 4 +-- zst/zst.go | 4 +-- 12 files changed, 138 insertions(+), 22 deletions(-) create mode 100644 utils/utils.go create mode 100644 utils/utils_test.go diff --git a/Makefile b/Makefile index 91cd083..c1d1732 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ ################################################################################ -# This Makefile generated by GoMakeGen 2.1.0 using next command: +# This Makefile generated by GoMakeGen 2.2.0 using next command: # gomakegen --mod . # # More info: https://kaos.sh/gomakegen @@ -33,9 +33,9 @@ vendor: mod-vendor ## Make vendored copy of dependencies test: ## Run tests ifdef COVERAGE_FILE ## Save coverage data into file (String) - go test $(VERBOSE_FLAG) -covermode=count -coverprofile=$(COVERAGE_FILE) ./. ./bz2 ./gz ./tar ./tbz2 ./tgz ./txz ./tzst ./xz ./zip ./zst + go test $(VERBOSE_FLAG) -covermode=count -coverprofile=$(COVERAGE_FILE) ./. ./bz2 ./gz ./lz4 ./tar ./tbz2 ./tgz ./tlz4 ./txz ./tzst ./utils ./xz ./zip ./zst else - go test $(VERBOSE_FLAG) -covermode=count ./. ./bz2 ./gz ./tar ./tbz2 ./tgz ./txz ./tzst ./xz ./zip ./zst + go test $(VERBOSE_FLAG) -covermode=count ./. ./bz2 ./gz ./lz4 ./tar ./tbz2 ./tgz ./tlz4 ./txz ./tzst ./utils ./xz ./zip ./zst endif mod-init: @@ -87,6 +87,6 @@ help: ## Show this info | sed 's/ifdef //' \ | awk 'BEGIN {FS = " .*?## "}; {printf " \033[32m%-14s\033[0m %s\n", $$1, $$2}' @echo -e '' - @echo -e '\033[90mGenerated by GoMakeGen 2.1.0\033[0m\n' + @echo -e '\033[90mGenerated by GoMakeGen 2.2.0\033[0m\n' ################################################################################ diff --git a/bz2/bz2.go b/bz2/bz2.go index 83cd5a5..254dd19 100644 --- a/bz2/bz2.go +++ b/bz2/bz2.go @@ -17,7 +17,7 @@ import ( "path/filepath" "strings" - securejoin "github.com/cyphar/filepath-securejoin" + "github.com/essentialkaos/npck/utils" ) // ////////////////////////////////////////////////////////////////////////////////// // @@ -42,7 +42,7 @@ func Unpack(file, dir string) error { output := strings.TrimSuffix(filepath.Base(file), ".bz2") output = strings.TrimSuffix(output, ".BZ2") - path, err := securejoin.SecureJoin(dir, output) + path, err := utils.Join(dir, output) if err != nil { return err diff --git a/go.mod b/go.mod index 4294ed4..f4253d5 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,6 @@ module github.com/essentialkaos/npck go 1.19 require ( - github.com/cyphar/filepath-securejoin v0.2.3 github.com/essentialkaos/check v1.4.0 github.com/essentialkaos/ek/v12 v12.64.1 github.com/klauspost/compress v1.16.5 diff --git a/go.sum b/go.sum index 187ce23..1d1f95c 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,4 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/cyphar/filepath-securejoin v0.2.3 h1:YX6ebbZCZP7VkM3scTTokDgBL2TY741X51MTk3ycuNI= -github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/essentialkaos/check v1.4.0 h1:kWdFxu9odCxUqo1NNFNJmguGrDHgwi3A8daXX1nkuKk= github.com/essentialkaos/check v1.4.0/go.mod h1:LMKPZ2H+9PXe7Y2gEoKyVAwUqXVgx7KtgibfsHJPus0= github.com/essentialkaos/ek/v12 v12.64.1 h1:XjIF4GHCgVIY0S0KEz8g1OrNrRoHGU+vAUXSYIKNIbI= diff --git a/gz/gz.go b/gz/gz.go index 4562429..179f91e 100644 --- a/gz/gz.go +++ b/gz/gz.go @@ -18,7 +18,7 @@ import ( "github.com/klauspost/compress/gzip" - securejoin "github.com/cyphar/filepath-securejoin" + "github.com/essentialkaos/npck/utils" ) // ////////////////////////////////////////////////////////////////////////////////// // @@ -43,7 +43,7 @@ func Unpack(file, dir string) error { output := strings.TrimSuffix(filepath.Base(file), ".gz") output = strings.TrimSuffix(output, ".GZ") - path, err := securejoin.SecureJoin(dir, output) + path, err := utils.Join(dir, output) if err != nil { return err diff --git a/lz4/lz4.go b/lz4/lz4.go index 1b802de..bb102f4 100644 --- a/lz4/lz4.go +++ b/lz4/lz4.go @@ -18,7 +18,7 @@ import ( "github.com/pierrec/lz4/v4" - securejoin "github.com/cyphar/filepath-securejoin" + "github.com/essentialkaos/npck/utils" ) // ////////////////////////////////////////////////////////////////////////////////// // @@ -43,7 +43,7 @@ func Unpack(file, dir string) error { output := strings.TrimSuffix(filepath.Base(file), ".lz4") output = strings.TrimSuffix(output, ".LZ4") - path, err := securejoin.SecureJoin(dir, output) + path, err := utils.Join(dir, output) if err != nil { return err diff --git a/tar/tar.go b/tar/tar.go index f068bd1..80a73d5 100644 --- a/tar/tar.go +++ b/tar/tar.go @@ -17,7 +17,7 @@ import ( "path/filepath" "strings" - securejoin "github.com/cyphar/filepath-securejoin" + "github.com/essentialkaos/npck/utils" ) // ////////////////////////////////////////////////////////////////////////////////// // @@ -85,7 +85,7 @@ func Read(r io.Reader, dir string) error { return fmt.Errorf("Path \"%s\" contains directory traversal element and cannot be used", header.Name) } - path, err := securejoin.SecureJoin(dir, header.Name) + path, err := utils.Join(dir, header.Name) if err != nil { return err @@ -203,7 +203,7 @@ func isExternalLink(path, dir string) bool { return true } - realPath, err := securejoin.SecureJoin(dir, path) + realPath, err := utils.Join(dir, path) if err != nil { return true diff --git a/utils/utils.go b/utils/utils.go new file mode 100644 index 0000000..a17b1d3 --- /dev/null +++ b/utils/utils.go @@ -0,0 +1,57 @@ +// Package utils provides auxiliary methods for working with archives +package utils + +// ////////////////////////////////////////////////////////////////////////////////// // +// // +// Copyright (c) 2023 ESSENTIAL KAOS // +// Apache License, Version 2.0 // +// // +// ////////////////////////////////////////////////////////////////////////////////// // + +import ( + "fmt" + "path/filepath" + "strings" + "syscall" +) + +// ////////////////////////////////////////////////////////////////////////////////// // + +// Join joins all elements of path, makes lexical processing, and evaluating all symlinks. +// Method returns error if final destination is not a child path of root. +func Join(root string, elem ...string) (string, error) { + result, err := filepath.EvalSymlinks(root) + + if err != nil { + result = root + } else { + root = result + } + + for _, e := range elem { + result = filepath.Clean(result + "/" + e) + + if isLink(result) { + result, err = filepath.EvalSymlinks(result) + + if err != nil { + return "", fmt.Errorf("Can't eval symlinks: %w", err) + } + } + } + + if !strings.HasPrefix(result, root) { + return "", fmt.Errorf("Final destination (%s) is outside root (%s)", result, root) + } + + return result, nil +} + +// ////////////////////////////////////////////////////////////////////////////////// // + +func isLink(path string) bool { + var buf = make([]byte, 1) + _, err := syscall.Readlink(path, buf) + + return err == nil +} diff --git a/utils/utils_test.go b/utils/utils_test.go new file mode 100644 index 0000000..e5a2ac8 --- /dev/null +++ b/utils/utils_test.go @@ -0,0 +1,62 @@ +package utils + +// ////////////////////////////////////////////////////////////////////////////////// // +// // +// Copyright (c) 2023 ESSENTIAL KAOS // +// Apache License, Version 2.0 // +// // +// ////////////////////////////////////////////////////////////////////////////////// // + +import ( + "os" + "testing" + + . "github.com/essentialkaos/check" +) + +// ////////////////////////////////////////////////////////////////////////////////// // + +func Test(t *testing.T) { TestingT(t) } + +// ////////////////////////////////////////////////////////////////////////////////// // + +type UtilsSuite struct{} + +var _ = Suite(&UtilsSuite{}) + +// ////////////////////////////////////////////////////////////////////////////////// // + +func (s *UtilsSuite) TestJoin(c *C) { + p, err := Join("/test", "myapp") + c.Assert(err, IsNil) + c.Assert(p, Equals, "/test/myapp") + + p, err = Join("/test", "myapp/config/../global.cfg") + c.Assert(err, IsNil) + c.Assert(p, Equals, "/test/myapp/global.cfg") + + p, err = Join("/unknown", "myapp/config/../global.cfg") + c.Assert(err, IsNil) + c.Assert(p, Equals, "/unknown/myapp/global.cfg") + + tmpDir := c.MkDir() + os.Mkdir(tmpDir+"/test", 0755) + os.Symlink(tmpDir+"/test", tmpDir+"/testlink") + testDir := tmpDir + "/testlink" + + os.Symlink(testDir+"/test.log", testDir+"/test1.link") + os.WriteFile(testDir+"/test.log", []byte("\n"), 0644) + os.Symlink(testDir+"/test.log", testDir+"/test1.link") + os.Symlink("/etc", testDir+"/test2.link") + os.Symlink(testDir+"/test3.link", testDir+"/test3.link") + + p, err = Join(testDir, "mytest/../test1.link") + c.Assert(err, IsNil) + c.Assert(p, Matches, "*/test/test.log") + + p, err = Join(testDir, "mytest/../test2.link") + c.Assert(err, NotNil) + + p, err = Join(testDir, "mytest/../test3.link") + c.Assert(err, NotNil) +} diff --git a/xz/xz.go b/xz/xz.go index 041fb70..5d9cbab 100644 --- a/xz/xz.go +++ b/xz/xz.go @@ -18,7 +18,7 @@ import ( "github.com/ulikunitz/xz" - securejoin "github.com/cyphar/filepath-securejoin" + "github.com/essentialkaos/npck/utils" ) // ////////////////////////////////////////////////////////////////////////////////// // @@ -43,7 +43,7 @@ func Unpack(file, dir string) error { output := strings.TrimSuffix(filepath.Base(file), ".xz") output = strings.TrimSuffix(output, ".XZ") - path, err := securejoin.SecureJoin(dir, output) + path, err := utils.Join(dir, output) if err != nil { return err diff --git a/zip/zip.go b/zip/zip.go index e066b3b..ce6e69e 100644 --- a/zip/zip.go +++ b/zip/zip.go @@ -17,7 +17,7 @@ import ( "github.com/klauspost/compress/zip" - securejoin "github.com/cyphar/filepath-securejoin" + "github.com/essentialkaos/npck/utils" ) // ////////////////////////////////////////////////////////////////////////////////// // @@ -66,7 +66,7 @@ func Read(r io.ReaderAt, dir string) error { } info := header.FileInfo() - path, err := securejoin.SecureJoin(dir, header.Name) + path, err := utils.Join(dir, header.Name) if err != nil { return err diff --git a/zst/zst.go b/zst/zst.go index c5a7418..7b3717d 100644 --- a/zst/zst.go +++ b/zst/zst.go @@ -18,7 +18,7 @@ import ( "github.com/klauspost/compress/zstd" - securejoin "github.com/cyphar/filepath-securejoin" + "github.com/essentialkaos/npck/utils" ) // ////////////////////////////////////////////////////////////////////////////////// // @@ -43,7 +43,7 @@ func Unpack(file, dir string) error { output := strings.TrimSuffix(filepath.Base(file), ".zst") output = strings.TrimSuffix(output, ".ZST") - path, err := securejoin.SecureJoin(dir, output) + path, err := utils.Join(dir, output) if err != nil { return err From b5415d13ad65e791a9fb766824cd3b175e49b098 Mon Sep 17 00:00:00 2001 From: Anton Novojilov Date: Sat, 6 May 2023 02:21:52 +0300 Subject: [PATCH 4/5] Add codeclimate badge --- .codeclimate.yml | 39 +++++++++++++++++++++++++++++++++++++++ README.md | 9 ++++++--- 2 files changed, 45 insertions(+), 3 deletions(-) create mode 100644 .codeclimate.yml diff --git a/.codeclimate.yml b/.codeclimate.yml new file mode 100644 index 0000000..16f4324 --- /dev/null +++ b/.codeclimate.yml @@ -0,0 +1,39 @@ +version: "2" + +checks: + argument-count: + enabled: true + config: + threshold: 6 + complex-logic: + enabled: true + config: + threshold: 6 + file-lines: + enabled: true + config: + threshold: 1000 + method-complexity: + enabled: true + config: + threshold: 8 + method-count: + enabled: true + config: + threshold: 20 + method-lines: + enabled: true + config: + threshold: 100 + nested-control-flow: + enabled: true + config: + threshold: 6 + return-statements: + enabled: true + config: + threshold: 6 + similar-code: + enabled: false + identical-code: + enabled: false diff --git a/README.md b/README.md index 4ff61a5..475aae6 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,14 @@

- PkgGoDev + PkgGoDev + GoReportCard + Code Climate Maintainability + Codebeat badge +
+ Coverage Status GitHub Actions CI Status GitHub Actions CodeQL Status - Coverage Status - Codebeat badge

From d5f27954760b19aee5d8eadbc41c02df2a089fa1 Mon Sep 17 00:00:00 2001 From: Anton Novojilov Date: Sat, 6 May 2023 02:26:35 +0300 Subject: [PATCH 5/5] Add codeclimate badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 475aae6..2f609c1 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@

PkgGoDev GoReportCard - Code Climate Maintainability + Code Climate Maintainability Codebeat badge
Coverage Status