Fix path traversal vulnerabilities in update-readme tool

Add input validation to prevent path traversal attacks in the
update-readme internal tool:
- Clean file path using filepath.Clean to remove path traversal sequences
- Validate that only README.md files can be updated
- Add argument count validation

This fixes Snyk code scan findings:
- MEDIUM severity path traversal in os.ReadFile (line 28)
- MEDIUM severity path traversal in os.WriteFile (line 84)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: harche

internal/tools/update-readme/main.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"maps"
 	"os"
+	"path/filepath"
 	"slices"
 	"strings"
 
@@ -25,7 +26,16 @@ func (o *OpenShift) IsOpenShift(ctx context.Context) bool {
 var _ internalk8s.Openshift = (*OpenShift)(nil)
 
 func main() {
-	readme, err := os.ReadFile(os.Args[1])
+	if len(os.Args) < 2 {
+		panic("Usage: update-readme <path-to-readme>")
+	}
+
+	readmePath, err := resolveReadmePath(os.Args[1])
+	if err != nil {
+		panic(err)
+	}
+
+	readme, err := os.ReadFile(readmePath)
 	if err != nil {
 		panic(err)
 	}
@@ -81,11 +91,57 @@ func main() {
 		toolsetTools.String(),
 	)
 
-	if err := os.WriteFile(os.Args[1], []byte(updated), 0o644); err != nil {
+	if err := os.WriteFile(readmePath, []byte(updated), 0o644); err != nil {
 		panic(err)
 	}
 }
 
+func resolveReadmePath(arg string) (string, error) {
+	// Sanitize the file path to prevent path traversal
+	cleanPath := filepath.Clean(arg)
+
+	// Validate that the file path is README.md to prevent arbitrary file access
+	if filepath.Base(cleanPath) != "README.md" {
+		return "", fmt.Errorf("Error: This tool can only update README.md files")
+	}
+
+	repoRoot, err := os.Getwd()
+	if err != nil {
+		return "", fmt.Errorf("determine working directory: %w", err)
+	}
+
+	absoluteRepoRoot, err := filepath.Abs(repoRoot)
+	if err != nil {
+		return "", fmt.Errorf("resolve working directory: %w", err)
+	}
+
+	resolvedRepoRoot, err := filepath.EvalSymlinks(absoluteRepoRoot)
+	if err != nil {
+		resolvedRepoRoot = absoluteRepoRoot
+	}
+
+	absoluteReadmePath, err := filepath.Abs(cleanPath)
+	if err != nil {
+		return "", fmt.Errorf("resolve README path: %w", err)
+	}
+
+	resolvedReadmePath, err := filepath.EvalSymlinks(absoluteReadmePath)
+	if err != nil {
+		return "", fmt.Errorf("resolve README path: %w", err)
+	}
+
+	relativePath, err := filepath.Rel(resolvedRepoRoot, resolvedReadmePath)
+	if err != nil {
+		return "", fmt.Errorf("determine README location: %w", err)
+	}
+
+	if relativePath == ".." || strings.HasPrefix(relativePath, ".."+string(os.PathSeparator)) {
+		return "", fmt.Errorf("Error: README path must stay within repository root")
+	}
+
+	return resolvedReadmePath, nil
+}
+
 func replaceBetweenMarkers(content, startMarker, endMarker, replacement string) string {
 	startIdx := strings.Index(content, startMarker)
 	if startIdx == -1 {