From c6709d930f71d64dc3b5d1a15943e5c927e808cc Mon Sep 17 00:00:00 2001
From: Yong Tang <yong.tang.github@outlook.com>
Date: Mon, 14 Feb 2022 08:24:21 -0800
Subject: Fix security scans by cleaning up file path (#5185)

While performing security scans there were several
issue raised as G304 (CWE-22): Potential file inclusion via variable.
As some files path are taken from user input, it is possible the
filepath passed by user may have unintended effect if not properly formed.
This fix add Clean to remove the security warning and address some
potential issue.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
---
 plugin/sign/keys.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'plugin/sign/keys.go')

diff --git a/plugin/sign/keys.go b/plugin/sign/keys.go
index 5fd1a4842..b99958442 100644
--- a/plugin/sign/keys.go
+++ b/plugin/sign/keys.go
@@ -66,7 +66,7 @@ func keyParse(c *caddy.Controller) ([]Pair, error) {
 }
 
 func readKeyPair(public, private string) (Pair, error) {
-	rk, err := os.Open(public)
+	rk, err := os.Open(filepath.Clean(public))
 	if err != nil {
 		return Pair{}, err
 	}
@@ -86,7 +86,7 @@ func readKeyPair(public, private string) (Pair, error) {
 		return Pair{}, fmt.Errorf("DNSKEY in %q is not a CSK/KSK", public)
 	}
 
-	rp, err := os.Open(private)
+	rp, err := os.Open(filepath.Clean(private))
 	if err != nil {
 		return Pair{}, err
 	}
-- 
cgit v1.2.3