Fix security scans by cleaning up file path (#5185)

While performing security scans there were several issue raised as G304 (CWE-22): Potential file inclusion via variable. As some files path are taken from user input, it is possible the filepath passed by user may have unintended effect if not properly formed. This fix add Clean to remove the security warning and address some potential issue. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2025-10-27 08:14:18 -04:00 · 2022-02-14 08:24:21 -08:00
parent b40f2a0a44
commit c6709d930f
8 changed files with 14 additions and 10 deletions
--- a/plugin/file/reload.go
+++ b/plugin/file/reload.go
@@ -2,6 +2,7 @@ package file

 import (
 	"os"
+	"path/filepath"
 	"time"

 	"github.com/coredns/coredns/plugin/transfer"
@@ -19,7 +20,7 @@ func (z *Zone) Reload(t *transfer.Transfer) error {
 			select {
 			case <-tick.C:
 				zFile := z.File()
-				reader, err := os.Open(zFile)
+				reader, err := os.Open(filepath.Clean(zFile))
 				if err != nil {
 					log.Errorf("Failed to open zone %q in %q: %v", z.origin, zFile, err)
 					continue
--- a/plugin/file/setup.go
+++ b/plugin/file/setup.go
@@ -88,7 +88,7 @@ func fileParse(c *caddy.Controller) (Zones, error) {
 			fileName = filepath.Join(config.Root, fileName)
 		}

-		reader, err := os.Open(fileName)
+		reader, err := os.Open(filepath.Clean(fileName))
 		if err != nil {
 			openErr = err
 		}