fix: Golang security checks by gosec #304

soulteary · Apr 23, 2023 · bada84d · bada84d
1 parent c309f0a
commit bada84d
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/internal/updater/updater.go b/internal/updater/updater.go
@@ -77,7 +77,9 @@ func ScanFiles(rootDir string) ([]string, error) {
 		if info.IsDir() {
 			return nil
 		}
-		if strings.HasSuffix(path, ".conf") {
+
+		file := filepath.Clean(path)
+		if strings.HasPrefix(file, rootDir) && strings.HasSuffix(file, ".conf") {
 			_, err := os.ReadFile(path)
 			if err != nil {
 				return err
@@ -97,12 +99,18 @@ func UpdateConfInDir(rootDir string, outputDir string, indent int, indentChar st
 	if err != nil {
 		return err
 	}
-	for _, file := range files {
+	for _, src := range files {
+		file := filepath.Clean(src)
+		if !strings.HasPrefix(file, rootDir) {
+			continue
+		}
+
 		buf, err := os.ReadFile(file)
 		if err != nil {
 			fmt.Printf("Formatter Nginx Conf %s failed, can not open the file\n", err)
 			return err
 		}
+
 		modifiedData, err := fn(FixVars(FixReturn(EncodeEscapeChars(string(buf)))), indent, indentChar)
 		if err != nil {
 			fmt.Printf("Formatter Nginx Conf %s failed, can not format the file\n", err)