commit ea77415cfe2cefe46ffce233076a1409abaa8df7 Author: Will Browne Date: Fri Dec 10 11:29:12 2021 +0000 apply fix (#42969) diff --git a/pkg/plugins/plugins.go b/pkg/plugins/plugins.go index e6370a29e7..c7199c716e 100644 --- a/pkg/plugins/plugins.go +++ b/pkg/plugins/plugins.go @@ -491,15 +491,15 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { } // nolint:gosec - // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based - // on plugin the folder structure on disk and not user input. - path := filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToUpper(name))) + // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently + // use this with a prefix of the plugin's directory, which is set during plugin loading + path := filepath.Join(plug.PluginDir, mdFilepath(strings.ToUpper(name))) exists, err := fs.Exists(path) if err != nil { return nil, err } if !exists { - path = filepath.Join(plug.PluginDir, fmt.Sprintf("%s.md", strings.ToLower(name))) + path = filepath.Join(plug.PluginDir, mdFilepath(strings.ToLower(name))) } exists, err = fs.Exists(path) @@ -511,8 +511,8 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { } // nolint:gosec - // We can ignore the gosec G304 warning on this one because `plug.PluginDir` is based - // on plugin the folder structure on disk and not user input. + // We can ignore the gosec G304 warning since we have cleaned the requested file path and subsequently + // use this with a prefix of the plugin's directory, which is set during plugin loading data, err := ioutil.ReadFile(path) if err != nil { return nil, err @@ -520,6 +520,10 @@ func GetPluginMarkdown(pluginId string, name string) ([]byte, error) { return data, nil } +func mdFilepath(mdFilename string) string { + return filepath.Clean(filepath.Join("/", fmt.Sprintf("%s.md", mdFilename))) +} + // gets plugin filenames that require verification for plugin signing func collectPluginFilesWithin(rootDir string) ([]string, error) { var files []string