Fix code scanning alert no. 11: Uncontrolled data used in path expres…

…sion Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
dadav · Dec 28, 2024 · fdb5949 · fdb5949
1 parent 2c75ecd
commit fdb5949
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/internal/v3/backend/filesystem.go b/internal/v3/backend/filesystem.go
@@ -161,6 +161,11 @@ func (s *FilesystemBackend) AddRelease(releaseData []byte) (*gen.Release, error)
 		return nil, err
 	}
 
+	// Validate metadata.Name to ensure it does not contain path separators or parent directory references
+	if strings.Contains(metadata.Name, "/") || strings.Contains(metadata.Name, "\\") || strings.Contains(metadata.Name, "..") {
+		return nil, errors.New("invalid module name")
+	}
+
 	releaseSlug := fmt.Sprintf("%s-%s", metadata.Name, metadata.Version)
 	if !utils.CheckReleaseSlug(releaseSlug) {
 		return nil, errors.New("invalid release slug")