Skip to content

Commit

Permalink
Merge pull request #40 from dadav/alert-autofix-11
Browse files Browse the repository at this point in the history 
Fix code scanning alert no. 11: Uncontrolled data used in path expression
  • Loading branch information
@dadav
dadav authored Dec 28, 2024
2 parents 2c75ecd + fdb5949 commit 1261f9b
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions internal/v3/backend/filesystem.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,11 @@ func (s *FilesystemBackend) AddRelease(releaseData []byte) (*gen.Release, error)
return nil, err
}

// Validate metadata.Name to ensure it does not contain path separators or parent directory references
if strings.Contains(metadata.Name, "/") || strings.Contains(metadata.Name, "\\") || strings.Contains(metadata.Name, "..") {
return nil, errors.New("invalid module name")
}

releaseSlug := fmt.Sprintf("%s-%s", metadata.Name, metadata.Version)
if !utils.CheckReleaseSlug(releaseSlug) {
return nil, errors.New("invalid release slug")
Expand Down

0 comments on commit 1261f9b

Please sign in to comment.