Add pathutil for path validation

anhthii · anhthii · commit b911e6014d67 · 2025-07-06T15:29:59.000+07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -95,16 +95,14 @@ jobs:
         run: go install golang.org/x/vuln/cmd/govulncheck@latest
 
       - name: Run govulncheck and generate SARIF
+        working-directory: ${{ github.workspace }}/..
         run: |
-          # Generate SARIF output
-          govulncheck -format sarif -scan=module ./... > govulncheck-results.sarif
-          
-          # Also generate JSON for counting (optional)
+          govulncheck -format sarif -scan=module > govulncheck-results.sarif
+
           govulncheck -json ./... > vuln.json
           count=$(jq '[.[] | select(.finding != null and .finding.trace != null)] | length' vuln.json || echo 0)
           echo "Found $count vulnerabilities"
-          
-          # Note: We don't fail the build here since we want to upload the SARIF file
+
           if [ "$count" -gt 0 ]; then
             echo "⚠️ Vulnerabilities found by govulncheck (see Security tab for details)"
           else
@@ -194,7 +192,7 @@ jobs:
       actions: read
       contents: read
       security-events: write
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
diff --git a/pkg/common/pathutil/pathutil.go b/pkg/common/pathutil/pathutil.go
@@ -0,0 +1,51 @@
+package pathutil
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+)
+
+// SafePath validates and constructs a safe file path within a base directory
+func SafePath(baseDir, filename string) (string, error) {
+	// Clean the filename to prevent path traversal
+	cleanFilename := filepath.Clean(filename)
+
+	// Check for path traversal attempts
+	if strings.Contains(cleanFilename, "..") {
+		return "", fmt.Errorf("invalid filename: path traversal not allowed")
+	}
+
+	// Construct the full path
+	fullPath := filepath.Join(baseDir, cleanFilename)
+
+	// Ensure the path is within the base directory
+	absBase, err := filepath.Abs(baseDir)
+	if err != nil {
+		return "", fmt.Errorf("failed to get absolute path for base directory: %w", err)
+	}
+
+	absPath, err := filepath.Abs(fullPath)
+	if err != nil {
+		return "", fmt.Errorf("failed to get absolute path: %w", err)
+	}
+
+	if !strings.HasPrefix(absPath, absBase) {
+		return "", fmt.Errorf("path outside base directory not allowed")
+	}
+
+	return fullPath, nil
+}
+
+// ValidateFilePath validates a file path for security concerns
+func ValidateFilePath(filePath string) error {
+	// Clean the path
+	cleanPath := filepath.Clean(filePath)
+
+	// Check for path traversal attempts
+	if strings.Contains(cleanPath, "..") {
+		return fmt.Errorf("invalid file path: path traversal not allowed")
+	}
+
+	return nil
+}
diff --git a/pkg/common/pathutil/pathutil_test.go b/pkg/common/pathutil/pathutil_test.go
@@ -0,0 +1,91 @@
+package pathutil
+
+import (
+	"testing"
+)
+
+func TestValidateFilePath(t *testing.T) {
+	tests := []struct {
+		name    string
+		path    string
+		wantErr bool
+	}{
+		{
+			name:    "valid simple path",
+			path:    "test.json",
+			wantErr: false,
+		},
+		{
+			name:    "valid relative path",
+			path:    "config/test.json",
+			wantErr: false,
+		},
+		{
+			name:    "path traversal attempt",
+			path:    "../../../etc/passwd",
+			wantErr: true,
+		},
+		{
+			name:    "path traversal with clean",
+			path:    "config/../../../etc/passwd",
+			wantErr: true,
+		},
+		{
+			name:    "valid absolute path",
+			path:    "/tmp/test.json",
+			wantErr: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := ValidateFilePath(tt.path)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateFilePath() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestSafePath(t *testing.T) {
+	tests := []struct {
+		name     string
+		baseDir  string
+		filename string
+		wantErr  bool
+	}{
+		{
+			name:     "valid file in base dir",
+			baseDir:  "/tmp",
+			filename: "test.json",
+			wantErr:  false,
+		},
+		{
+			name:     "path traversal attempt",
+			baseDir:  "/tmp",
+			filename: "../../../etc/passwd",
+			wantErr:  true,
+		},
+		{
+			name:     "path traversal with clean",
+			baseDir:  "/tmp",
+			filename: "config/../../../etc/passwd",
+			wantErr:  true,
+		},
+		{
+			name:     "valid subdirectory",
+			baseDir:  "/tmp",
+			filename: "config/test.json",
+			wantErr:  false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := SafePath(tt.baseDir, tt.filename)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("SafePath() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
