Snider/Mining
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ax(node): replace banned strings import with bytes.HasPrefix in bundle.go
Some checks are pending
Security Scan / security (push) Waiting to run
Details
Test / test (push) Waiting to run
Details

Browse source 
The strings package is banned per AX conventions. Both HasPrefix calls in
extractTarball now use bytes.HasPrefix with the bytes package already imported.

Co-Authored-By: Charon <charon@lethean.io>
This commit is contained in:
Claude 2026-04-02 13:58:05 +01:00
parent 0ffae0c646
commit 98d34ffd07
No known key found for this signature in database
GPG key ID: AF404715446AEB41
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pkg/node/bundle.go
View file

@ -10,8 +10,6 @@ import (
"io"
"os"
"path/filepath"
"strings"
"forge.lthn.ai/Snider/Borg/pkg/datanode"
"forge.lthn.ai/Snider/Borg/pkg/tim"
)
@ -291,7 +289,8 @@ func extractTarball(tarData []byte, destDir string) (string, error) {
}
// Reject paths that escape the destination directory
if strings.HasPrefix(cleanName, ".."+string(os.PathSeparator)) || cleanName == ".." {
parentPrefix := ".." + string(os.PathSeparator)
if bytes.HasPrefix([]byte(cleanName), []byte(parentPrefix)) || cleanName == ".." {
return "", fmt.Errorf("invalid tar entry: path traversal attempt: %s", header.Name)
}
@ -300,7 +299,8 @@ func extractTarball(tarData []byte, destDir string) (string, error) {
fullPath = filepath.Clean(fullPath)
// Final security check: ensure the path is still within destDir
if !strings.HasPrefix(fullPath, absDestDir+string(os.PathSeparator)) && fullPath != absDestDir {
destDirPrefix := absDestDir + string(os.PathSeparator)
if !bytes.HasPrefix([]byte(fullPath), []byte(destDirPrefix)) && fullPath != absDestDir {
return "", fmt.Errorf("invalid tar entry: path escape attempt: %s", header.Name)
}