Sanitize Patterns, Licenses 2025-07-29

Signed-off-by: Julio Jimenez <julio@clickhouse.com>

Author: juliojimenez

README.md

@@ -137,7 +137,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -180,7 +180,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -234,7 +234,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -299,7 +299,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -363,7 +363,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -405,7 +405,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -459,7 +459,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Merge Production SBOMs Only
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
@@ -514,7 +514,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM from Mend
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
           aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}
@@ -565,7 +565,7 @@ jobs:
           aws-region: us-east-1
 
       - name: Upload SBOM from Wiz
-        uses: ClickHouse/ClickBom@v1.0.5
+        uses: ClickHouse/ClickBom@v1.0.6
         with:
           aws-access-key-id: ${{ steps.aws-creds.outputs.aws-access-key-id }}
           aws-secret-access-key: ${{ steps.aws-creds.outputs.aws-secret-access-key }}

lib/sanitize.sh

@@ -196,6 +196,12 @@ sanitize_patterns() {
         # Remove dangerous characters but keep wildcards
         local sanitized_pattern
         sanitized_pattern=$(echo "$pattern" | sed 's/[^a-zA-Z0-9.*_-]//g')
+
+        # Prevent directory traversal patterns
+        if [[ "$sanitized_pattern" =~ (\.\./|^\./) ]]; then
+            log_error "Invalid pattern: $pattern contains directory traversal sequences"
+            exit 1
+        fi
 
         if [[ -n "$sanitized_pattern" ]]; then
             sanitized_patterns+=("$sanitized_pattern")

test/simple.bats

@@ -755,4 +755,11 @@ EOF
     run sanitize_patterns "*.json"
     [ "$status" -eq 0 ]
     [[ "$output" == "*.json" ]]
+}
+
+# Test 86: sanitize_patterns rejects patterns with directory traversal
+@test "sanitize_patterns rejects patterns with directory traversal" {
+    run sanitize_patterns "../test.json,./test.txt"
+    [ "$status" -eq 1 ]
+    [[ "$output" =~ Invalid pattern: ../test.json contains directory traversal sequences ]]
 }