feat(ci): add gosec and fix issues

M0Rf30 · Oct 11, 2023 · 4ced072 · 4ced072
1 parent 251f84b
commit 4ced072
Show file tree

Hide file tree

Showing 10 changed files with 86 additions and 23 deletions.
diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
@@ -3,6 +3,7 @@ tag-template: "$RESOLVED_VERSION"
 categories:
   - title: "🚀 Features"
     labels:
+      - "feat"
       - "feature"
       - "enhancement"
   - title: "🐛 Bug Fixes"

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: 1.21
 
       - name: Build
         run: go build -v ./...

diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml
@@ -0,0 +1,22 @@
+name: Run Gosec
+
+on:
+  push:
+    tags:
+      - "*"
+    branches:
+      - "*"
+  pull_request:
+
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    env:
+      GO111MODULE: on
+    steps:
+      - name: Checkout Source
+        uses: actions/checkout@v4
+      - name: Run Gosec Security Scanner
+        uses: securego/gosec@master
+        with:
+          args: ./...
diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml
@@ -1,4 +1,4 @@
-name: reviewdog
+name: Reviewdog
 on:
   push:
     tags:

diff --git a/pkgbuild/pkgbuild.go b/pkgbuild/pkgbuild.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"path/filepath"
 	"strings"
 	"text/template"
 
@@ -177,26 +178,26 @@ func (p *PKGBUILD) parseDirective(input string) (string, int, error) {
 		return key, priority, fmt.Errorf("pack: Cannot use directive for '%w'", err)
 	}
 
-	dirc := split[1]
+	directive := strings.ReplaceAll(split[1], "_", "-")
 
-	if constants.ReleasesSet.Contains(dirc) {
-		if dirc == p.FullDistroName {
+	if constants.ReleasesSet.Contains(directive) {
+		if directive == p.FullDistroName {
 			priority = 3
 		}
 
 		return key, priority, err
 	}
 
-	if constants.DistrosSet.Contains(dirc) {
-		if dirc == p.Distro {
+	if constants.DistrosSet.Contains(directive) {
+		if directive == p.Distro {
 			priority = 2
 		}
 
 		return key, priority, err
 	}
 
-	if constants.PackagersSet.Contains(dirc) {
-		if dirc == constants.DistroPackageManager[p.Distro] {
+	if constants.PackagersSet.Contains(directive) {
+		if directive == constants.DistroPackageManager[p.Distro] {
 			priority = 1
 		}
 
@@ -275,7 +276,9 @@ func (p *PKGBUILD) GetUpdates(packageManager string, args ...string) error {
 }
 
 func (p *PKGBUILD) CreateSpec(filePath string, script string) error {
-	file, err := os.Create(filePath)
+	cleanFilePath := filepath.Clean(filePath)
+
+	file, err := os.Create(cleanFilePath)
 	if err != nil {
 		log.Panic(err)
 	}

diff --git a/project/project.go b/project/project.go
@@ -235,17 +235,19 @@ func (mpc *MultipleProject) getMakeDeps() {
 }
 
 func (mpc *MultipleProject) readProject(path string) error {
-	file, err := os.Open(filepath.Join(path, "yap.json"))
+	cleanFilePath := filepath.Clean(filepath.Join(path, "yap.json"))
+
+	filePath, err := os.Open(cleanFilePath)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to open yap.json file within '%s'%s\n",
 			string(constants.ColorBlue),
 			string(constants.ColorYellow),
-			path,
+			cleanFilePath,
 			string(constants.ColorWhite))
 		os.Exit(1)
 	}
 
-	prjContent, err := io.ReadAll(file)
+	prjContent, err := io.ReadAll(filePath)
 	if err != nil {
 		return err
 	}

diff --git a/project/project_test.go b/project/project_test.go
@@ -78,29 +78,29 @@ func TestBuildMultipleProjectFromJSON(t *testing.T) {
 }`), os.FileMode(0755)))
 
 	defer os.Remove(packageRaw)
-	err = os.MkdirAll(filepath.Dir(prj1), os.FileMode(0777))
+	err = os.MkdirAll(filepath.Dir(prj1), os.FileMode(0750))
 
 	if err != nil {
 		t.Error(err)
 	}
 
 	defer os.RemoveAll(filepath.Dir(prj1))
-	err = os.MkdirAll(filepath.Dir(prj2), os.FileMode(0777))
+	err = os.MkdirAll(filepath.Dir(prj2), os.FileMode(0750))
 
 	if err != nil {
 		t.Error(err)
 	}
 
 	defer os.Remove(filepath.Dir(prj2))
 
-	err = os.WriteFile(prj1, []byte(examplePkgbuild), os.FileMode(0755))
+	err = os.WriteFile(prj1, []byte(examplePkgbuild), os.FileMode(0750))
 	if err != nil {
 		t.Error(err)
 	}
 
 	defer os.Remove(prj1)
 
-	err = os.WriteFile(prj2, []byte(examplePkgbuild), os.FileMode(0755))
+	err = os.WriteFile(prj2, []byte(examplePkgbuild), os.FileMode(0750))
 	if err != nil {
 		t.Error(err)
 	}

diff --git a/utils/file.go b/utils/file.go
@@ -10,6 +10,7 @@ import (
 )
 
 func MkdirAll(path string) error {
+	//#nosec
 	err := os.MkdirAll(path, 0o755)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to mkdir '%s'%s\n",
@@ -94,7 +95,9 @@ func ExistsMakeDir(path string) error {
 }
 
 func Create(path string) (*os.File, error) {
-	file, err := os.Create(path)
+	cleanFilePath := filepath.Clean(path)
+
+	file, err := os.Create(cleanFilePath)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to create '%s'%s\n",
 			string(constants.ColorBlue),
@@ -128,7 +131,9 @@ func CreateWrite(path string, data string) error {
 }
 
 func Open(path string) (*os.File, error) {
-	file, err := os.Open(path)
+	cleanFilePath := filepath.Clean(path)
+
+	file, err := os.Open(cleanFilePath)
 	if err != nil {
 		fmt.Printf("%s❌ :: %sfailed to open file '%s'%s\n",
 			string(constants.ColorBlue),

diff --git a/utils/strings.go b/utils/strings.go
@@ -2,9 +2,12 @@ package utils
 
 import (
 	"crypto/rand"
+	"fmt"
 	"math/big"
+	"os"
 	"strings"
 
+	"github.com/M0Rf30/yap/constants"
 	"mvdan.cc/sh/v3/syntax"
 )
 
@@ -36,7 +39,15 @@ func StringifyArray(node *syntax.Assign) []string {
 	out := &strings.Builder{}
 
 	for index := range node.Array.Elems {
-		syntax.NewPrinter().Print(out, node.Array.Elems[index].Value)
+		err := syntax.NewPrinter().Print(out, node.Array.Elems[index].Value)
+		if err != nil {
+			fmt.Printf("%s❌ :: %sunable to parse variable: %s\n",
+				string(constants.ColorBlue),
+				string(constants.ColorYellow), out.String())
+
+			os.Exit(1)
+		}
+
 		out.WriteString(" ")
 		fields = append(fields, out.String())
 	}
@@ -47,7 +58,15 @@ func StringifyArray(node *syntax.Assign) []string {
 // Generates a string from a *syntax.Assign of a variable declaration.
 func StringifyAssign(node *syntax.Assign) string {
 	out := &strings.Builder{}
-	syntax.NewPrinter().Print(out, node.Value)
+	err := syntax.NewPrinter().Print(out, node.Value)
+
+	if err != nil {
+		fmt.Printf("%s❌ :: %sunable to parse variable: %s\n",
+			string(constants.ColorBlue),
+			string(constants.ColorYellow), out.String())
+
+		os.Exit(1)
+	}
 
 	return strings.Trim(out.String(), "\"")
 }
@@ -57,7 +76,15 @@ func StringifyFuncDecl(node *syntax.FuncDecl) []string {
 	var fields []string
 
 	out := &strings.Builder{}
-	syntax.NewPrinter().Print(out, node.Body)
+	err := syntax.NewPrinter().Print(out, node.Body)
+
+	if err != nil {
+		fmt.Printf("%s❌ :: %sunable to parse function: %s\n",
+			string(constants.ColorBlue),
+			string(constants.ColorYellow), out.String())
+
+		os.Exit(1)
+	}
 
 	fields = append(fields, out.String())
 

diff --git a/utils/utils.go b/utils/utils.go
@@ -188,14 +188,17 @@ func Unarchive(archiveReader io.Reader, destination string) error {
 
 			// linux default for new directories is 777 and let the umask handle
 			// if should have other controls
+			//#nosec
 			err = os.MkdirAll(fileDir, 0777)
 		}
 
 		if err != nil {
 			return err
 		}
 
-		newFile, err := os.OpenFile(newPath, os.O_CREATE|os.O_WRONLY, archiveFile.Mode())
+		cleanNewPath := filepath.Clean(newPath)
+
+		newFile, err := os.OpenFile(cleanNewPath, os.O_CREATE|os.O_WRONLY, archiveFile.Mode())
 		if err != nil {
 			return err
 		}