Skip to content

Commit 2516eac

Browse files
harcheclaude
harche
and
claude
committed
Fix path traversal vulnerabilities in update-readme tool
Add input validation to prevent path traversal attacks in the update-readme internal tool: - Clean file path using filepath.Clean to remove path traversal sequences - Validate that only README.md files can be updated - Add argument count validation This fixes Snyk code scan findings: - MEDIUM severity path traversal in os.ReadFile (line 28) - MEDIUM severity path traversal in os.WriteFile (line 84) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
1 parent 7107a24 commit 2516eac

File tree

1 file changed

+37
-2
lines changed
  • internal/tools/update-readme

1 file changed

+37
-2
lines changed

internal/tools/update-readme/main.go

Lines changed: 37 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"fmt"
66
"maps"
77
"os"
8+
"path/filepath"
89
"slices"
910
"strings"
1011

@@ -25,7 +26,12 @@ func (o *OpenShift) IsOpenShift(ctx context.Context) bool {
2526
var _ internalk8s.Openshift = (*OpenShift)(nil)
2627

2728
func main() {
28-
readme, err := os.ReadFile(os.Args[1])
29+
readmePath, err := resolveReadmePath(os.Args[1:])
30+
if err != nil {
31+
panic(err)
32+
}
33+
34+
readme, err := os.ReadFile(readmePath)
2935
if err != nil {
3036
panic(err)
3137
}
@@ -81,11 +87,40 @@ func main() {
8187
toolsetTools.String(),
8288
)
8389

84-
if err := os.WriteFile(os.Args[1], []byte(updated), 0o644); err != nil {
90+
if err := os.WriteFile(readmePath, []byte(updated), 0o644); err != nil {
8591
panic(err)
8692
}
8793
}
8894

95+
func resolveReadmePath(args []string) (string, error) {
96+
var requested string
97+
switch len(args) {
98+
case 0:
99+
requested = "README.md"
100+
case 1:
101+
requested = args[0]
102+
default:
103+
return "", fmt.Errorf("Error: Provide at most one README.md argument")
104+
}
105+
106+
cleanPath := filepath.Clean(requested)
107+
if cleanPath != "README.md" {
108+
return "", fmt.Errorf("Error: This tool can only update the repository root README.md")
109+
}
110+
111+
repoRoot, err := os.Getwd()
112+
if err != nil {
113+
return "", fmt.Errorf("determine working directory: %w", err)
114+
}
115+
116+
absoluteRepoRoot, err := filepath.Abs(repoRoot)
117+
if err != nil {
118+
return "", fmt.Errorf("resolve working directory: %w", err)
119+
}
120+
121+
return filepath.Join(absoluteRepoRoot, "README.md"), nil
122+
}
123+
89124
func replaceBetweenMarkers(content, startMarker, endMarker, replacement string) string {
90125
startIdx := strings.Index(content, startMarker)
91126
if startIdx == -1 {

0 commit comments

Comments
 (0)