fix: add zlib path validation; tighten up remaining file/directory permissions (#1337)

Signed-off-by: egibs <20933572+egibs@users.noreply.github.com>

Author: egibs

pkg/action/scan_test.go

@@ -67,7 +67,7 @@ func TestCleanPath(t *testing.T) {
 			defer os.RemoveAll(tempDir)
 
 			nestedDir := filepath.Join(tempDir, "nested")
-			if err := os.Mkdir(nestedDir, 0o755); err != nil {
+			if err := os.Mkdir(nestedDir, 0o700); err != nil {
 				t.Fatalf("failed to create nested directory: %v", err)
 			}
 

pkg/archive/archive.go

@@ -129,7 +129,7 @@ func extractNestedArchive(ctx context.Context, c malcontent.Config, d string, f
 		archivePath = fmt.Sprintf("%s%d", archivePath, time.Now().UnixNano())
 	}
 
-	if err := os.MkdirAll(archivePath, 0o755); err != nil {
+	if err := os.MkdirAll(archivePath, 0o700); err != nil {
 		return fmt.Errorf("failed to create extraction directory: %w", err)
 	}
 

pkg/archive/symlink_test.go

@@ -80,7 +80,7 @@ func TestHandleSymlink(t *testing.T) {
 
 	// Write a file we can create a valid symlink for
 	targetFile := filepath.Join(tmpDir, "realfile.txt")
-	if err := os.WriteFile(targetFile, []byte("test"), 0o644); err != nil {
+	if err := os.WriteFile(targetFile, []byte("test"), 0o600); err != nil {
 		t.Fatalf("failed to create target file: %v", err)
 	}
 

pkg/archive/zlib.go

@@ -41,6 +41,10 @@ func ExtractZlib(ctx context.Context, d string, f string) error {
 	base := filepath.Base(f)
 	target := filepath.Join(d, base[:len(base)-len(filepath.Ext(base))])
 
+	if !IsValidPath(target, d) {
+		return fmt.Errorf("invalid zlib decompression file path: %s", target)
+	}
+
 	zr, err := zlib.NewReader(zf)
 	if err != nil {
 		return fmt.Errorf("failed to create zlib reader: %w", err)

pkg/compile/compile.go

@@ -248,7 +248,7 @@ func getCacheDir() (string, error) {
 		cacheDir = filepath.Join(os.TempDir(), "malcontent-cache")
 	}
 
-	if err := os.MkdirAll(cacheDir, 0o755); err != nil {
+	if err := os.MkdirAll(cacheDir, 0o700); err != nil {
 		return "", fmt.Errorf("create cache dir: %w", err)
 	}
 
@@ -274,7 +274,7 @@ func loadCachedRules(cacheFile string) (*yarax.Rules, error) {
 // saveCachedRules saves rules to a local file.
 func saveCachedRules(compiledRules *yarax.Rules, cacheFile string) error {
 	tmpFile := cacheFile + ".tmp"
-	f, err := os.OpenFile(tmpFile, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o644)
+	f, err := os.OpenFile(tmpFile, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
 	if err != nil {
 		return fmt.Errorf("create cache file: %w", err)
 	}

pkg/profile/profile.go

@@ -57,7 +57,7 @@ func StartProfiling(ctx context.Context, config *Config) (*Profiler, error) {
 		cancel:   cancel,
 	}
 
-	if err := os.MkdirAll(config.OutputDir, 0o755); err != nil {
+	if err := os.MkdirAll(config.OutputDir, 0o700); err != nil {
 		return nil, fmt.Errorf("failed to create profile directory: %w", err)
 	}
 

pkg/refresh/action.go

@@ -55,7 +55,7 @@ func actionRefresh(ctx context.Context) ([]TestData, error) {
 			return nil, fmt.Errorf("special case input file not found: %s: %w", scan, err)
 		}
 
-		if err := os.MkdirAll(filepath.Dir(output), 0o755); err != nil {
+		if err := os.MkdirAll(filepath.Dir(output), 0o700); err != nil {
 			return nil, fmt.Errorf("create output directory: %w", err)
 		}
 

pkg/refresh/diff.go

@@ -166,7 +166,7 @@ func diffRefresh(ctx context.Context, rc Config) ([]TestData, error) {
 			return nil, fmt.Errorf("risk case compare file not found: %s: %w", dest, err)
 		}
 
-		if err := os.MkdirAll(filepath.Dir(output), 0o755); err != nil {
+		if err := os.MkdirAll(filepath.Dir(output), 0o700); err != nil {
 			return nil, fmt.Errorf("create output directory: %w", err)
 		}