Fix for gosec rule G304 - sanitize filepaths

pkg/yqlib/file_utils.go

@@ -3,6 +3,7 @@ package yqlib
 import (
 	"io"
 	"os"
+	"path/filepath"
 )
 
 func safelyRenameFile(from string, to string) {
@@ -25,7 +26,7 @@ func safelyRenameFile(from string, to string) {
 
 // thanks https://stackoverflow.com/questions/21060945/simple-way-to-copy-a-file-in-golang
 func copyFileContents(src, dst string) (err error) {
-	in, err := os.Open(src) // nolint gosec
+	in, err := os.Open(filepath.Clean(src))
 	if err != nil {
 		return err
 	}

pkg/yqlib/utils.go

@@ -5,6 +5,7 @@ import (
 	"container/list"
 	"io"
 	"os"
+	"path/filepath"
 
 	yaml "gopkg.in/yaml.v3"
 )
@@ -13,7 +14,7 @@ func readStream(filename string) (io.Reader, error) {
 	if filename == "-" {
 		return bufio.NewReader(os.Stdin), nil
 	} else {
-		return os.Open(filename) // nolint gosec
+		return os.Open(filepath.Clean(filename))
 	}
 }
 

test/utils.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
+	"path/filepath"
 	"reflect"
 	"strings"
 	"testing"
@@ -81,7 +82,7 @@ func WriteTempYamlFile(content string) string {
 }
 
 func ReadTempYamlFile(name string) string {
-	content, _ := ioutil.ReadFile(name)
+	content, _ := ioutil.ReadFile(filepath.Clean(name))
 	return string(content)
 }