Skip to content

Commit 23ab958

Browse files
Alex Godorojaclaude
andcommitted
fix(gosec): resolve install.json/install.sh aux paths via resolveUnder (G304)
Mirror the binary-copy containment pattern: resolveUnder cleans the join and verifies the path stays under the bundle/staging root, clearing the two gosec 'path traversal via taint analysis' (G304) alerts on the aux-file carry. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent ae47074 commit 23ab958

1 file changed

Lines changed: 10 additions & 2 deletions

File tree

cmd/pilotctl/appstore.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1190,15 +1190,23 @@ func cmdAppStoreInstall(args []string) {
11901190
// R2 artifact registry. These files are covered by the bundle's sha (verified
11911191
// above at the tarball level), so copying them adds no new trust surface.
11921192
for _, aux := range []string{"install.json", "install.sh"} {
1193-
src := filepath.Join(bundleDir, aux)
1193+
// Resolve both ends through the same containment guard the binary copy
1194+
// uses: aux is a constant allow-list entry, and resolveUnder cleans the
1195+
// join and verifies it stays under the root — so neither path can escape.
1196+
src, serr := resolveUnder(bundleDir, aux)
1197+
dst, derr := resolveUnder(stagingDir, aux)
1198+
if serr != nil || derr != nil {
1199+
_ = os.RemoveAll(stagingDir)
1200+
fatalHint("internal_error", "aux install file path escaped the bundle/staging root", "resolve %s: %v / %v", aux, serr, derr)
1201+
}
11941202
if _, err := os.Stat(src); err != nil {
11951203
continue // not an asset-delivering app
11961204
}
11971205
mode := os.FileMode(0o644)
11981206
if aux == "install.sh" {
11991207
mode = 0o755
12001208
}
1201-
if err := copyFile(src, filepath.Join(stagingDir, aux), mode); err != nil {
1209+
if err := copyFile(src, dst, mode); err != nil {
12021210
_ = os.RemoveAll(stagingDir)
12031211
fatalHint("io_error", "check install root permissions", "copy %s: %v", aux, err)
12041212
}

0 commit comments

Comments
 (0)