From 98d34ffd07663d2157c9a52b74b7697056ae5bab Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 2 Apr 2026 13:58:05 +0100 Subject: [PATCH] ax(node): replace banned strings import with bytes.HasPrefix in bundle.go The strings package is banned per AX conventions. Both HasPrefix calls in extractTarball now use bytes.HasPrefix with the bytes package already imported. Co-Authored-By: Charon --- pkg/node/bundle.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/node/bundle.go b/pkg/node/bundle.go index 2a65c97..a92504a 100644 --- a/pkg/node/bundle.go +++ b/pkg/node/bundle.go @@ -10,8 +10,6 @@ import ( "io" "os" "path/filepath" - "strings" - "forge.lthn.ai/Snider/Borg/pkg/datanode" "forge.lthn.ai/Snider/Borg/pkg/tim" ) @@ -291,7 +289,8 @@ func extractTarball(tarData []byte, destDir string) (string, error) { } // Reject paths that escape the destination directory - if strings.HasPrefix(cleanName, ".."+string(os.PathSeparator)) || cleanName == ".." { + parentPrefix := ".." + string(os.PathSeparator) + if bytes.HasPrefix([]byte(cleanName), []byte(parentPrefix)) || cleanName == ".." { return "", fmt.Errorf("invalid tar entry: path traversal attempt: %s", header.Name) } @@ -300,7 +299,8 @@ func extractTarball(tarData []byte, destDir string) (string, error) { fullPath = filepath.Clean(fullPath) // Final security check: ensure the path is still within destDir - if !strings.HasPrefix(fullPath, absDestDir+string(os.PathSeparator)) && fullPath != absDestDir { + destDirPrefix := absDestDir + string(os.PathSeparator) + if !bytes.HasPrefix([]byte(fullPath), []byte(destDirPrefix)) && fullPath != absDestDir { return "", fmt.Errorf("invalid tar entry: path escape attempt: %s", header.Name) }