From bd17139cfc34c9303da5867670b8347743169bb5 Mon Sep 17 00:00:00 2001
From: dcrusty <40319304+dcrusty@users.noreply.github.com>
Date: Wed, 12 Aug 2020 21:55:56 +0530
Subject: [PATCH] [Issue #220] - dcRUSTy - Implement utility function wrapper
 for ioutil.ReadFile which skips following symlink

---
 directory_hook.go          |  4 ++--
 git_testing/git_testing.go |  2 +-
 gitrepo/gitrepo.go         |  4 ++--
 utility/sha_256_hasher.go  |  3 +--
 utility/utility.go         | 17 +++++++++++++++++
 utility/utility_test.go    | 39 ++++++++++++++++++++++++++++++++++++++
 6 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 utility/utility_test.go

diff --git a/directory_hook.go b/directory_hook.go
index 1104dcbd..ab78bbd8 100644
--- a/directory_hook.go
+++ b/directory_hook.go
@@ -1,8 +1,8 @@
 package main
 
 import (
-	"io/ioutil"
 	"talisman/gitrepo"
+	"talisman/utility"
 
 	log "github.com/Sirupsen/logrus"
 
@@ -35,5 +35,5 @@ func (p *DirectoryHook) GetFilesFromDirectory(globPattern string) []gitrepo.Addi
 
 func ReadFile(filepath string) ([]byte, error) {
 	log.Debugf("reading file %s", filepath)
-	return ioutil.ReadFile(filepath)
+	return utility.SafeReadFile(filepath)
 }
diff --git a/git_testing/git_testing.go b/git_testing/git_testing.go
index 03c829e6..5607ae71 100644
--- a/git_testing/git_testing.go
+++ b/git_testing/git_testing.go
@@ -23,7 +23,7 @@ func Init(gitRoot string) *GitTesting {
 	os.MkdirAll(gitRoot, 0777)
 	testingRepo := &GitTesting{gitRoot}
 	testingRepo.ExecCommand("git", "init", ".")
-	gitConfigFileObject, _ := ioutil.TempFile("/tmp", "gitConfigForTalismanTests")
+	gitConfigFileObject, _ := ioutil.TempFile(os.TempDir(), "gitConfigForTalismanTests")
 	gitConfigFile = gitConfigFileObject.Name()
 	testingRepo.CreateFileWithContents(gitConfigFile, `[user]
 	email = talisman-test-user@example.com
diff --git a/gitrepo/gitrepo.go b/gitrepo/gitrepo.go
index 55d8d001..753987d3 100644
--- a/gitrepo/gitrepo.go
+++ b/gitrepo/gitrepo.go
@@ -3,13 +3,13 @@ package gitrepo
 import (
 	"fmt"
 	log "github.com/Sirupsen/logrus"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"
+	"talisman/utility"
 )
 
 //FilePath represents the absolute path of an added file
@@ -161,7 +161,7 @@ func NewScannerAddition(filePath string, commits []string, content []byte) Addit
 func (repo GitRepo) ReadRepoFile(fileName string) ([]byte, error) {
 	path := filepath.Join(repo.root, fileName)
 	log.Debugf("reading file %s", path)
-	return ioutil.ReadFile(path)
+	return utility.SafeReadFile(path)
 }
 
 //ReadRepoFileOrNothing returns the contents of the supplied relative filename by locating it in the git repo.
diff --git a/utility/sha_256_hasher.go b/utility/sha_256_hasher.go
index b6f513fd..ec9dffc9 100644
--- a/utility/sha_256_hasher.go
+++ b/utility/sha_256_hasher.go
@@ -3,7 +3,6 @@ package utility
 import (
 	"crypto/sha256"
 	"encoding/hex"
-	"io/ioutil"
 )
 
 type SHA256Hasher interface {
@@ -20,7 +19,7 @@ func (DefaultSHA256Hasher) CollectiveSHA256Hash(paths []string) string {
 		concatBytes := hashByte(&sbyte)
 		nameByte := []byte(path)
 		nameHash := hashByte(&nameByte)
-		fileBytes, _ := ioutil.ReadFile(path)
+		fileBytes, _ := SafeReadFile(path)
 		fileHash := hashByte(&fileBytes)
 		finHash = concatBytes + fileHash + nameHash
 	}
diff --git a/utility/utility.go b/utility/utility.go
index 7dd57be7..f947dce0 100644
--- a/utility/utility.go
+++ b/utility/utility.go
@@ -2,6 +2,7 @@ package utility
 
 import (
 	"fmt"
+	log "github.com/Sirupsen/logrus"
 	"io"
 	"io/ioutil"
 	"os"
@@ -89,3 +90,19 @@ func Dir(src string, dst string) error {
 	}
 	return nil
 }
+
+func IsFileSymlink(path string) bool {
+	fileMetadata, err := os.Lstat(path)
+	if err != nil {
+		return false
+	}
+	return fileMetadata.Mode()&os.ModeSymlink != 0
+}
+
+func SafeReadFile(path string) ([]byte, error) {
+	if IsFileSymlink(path) {
+		log.Debug("Symlink was detected! Not following symlink ", path)
+		return []byte{}, nil
+	}
+	return ioutil.ReadFile(path)
+}
diff --git a/utility/utility_test.go b/utility/utility_test.go
new file mode 100644
index 00000000..a4a4c8b1
--- /dev/null
+++ b/utility/utility_test.go
@@ -0,0 +1,39 @@
+package utility
+
+import (
+	"github.com/stretchr/testify/assert"
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+func TestShouldReadNormalFileCorrectly(t *testing.T) {
+	tempFile, _ := ioutil.TempFile(os.TempDir(), "somefile")
+	dataToBeWrittenInFile := []byte{0, 1, 2, 3}
+	tempFile.Write(dataToBeWrittenInFile)
+	tempFile.Close()
+
+	readDataFromFileUsingIoutilDotReadFile, _ := ioutil.ReadFile(tempFile.Name())
+	readDataFromFileUsingSafeFileRead, _ := SafeReadFile(tempFile.Name())
+	os.Remove(tempFile.Name())
+
+	assert.Equal(t, readDataFromFileUsingIoutilDotReadFile, dataToBeWrittenInFile)
+	assert.Equal(t, readDataFromFileUsingSafeFileRead, dataToBeWrittenInFile)
+}
+
+func TestShouldNotReadSymbolicLinkTargetFile(t *testing.T) {
+	tempFile, _ := ioutil.TempFile(os.TempDir(), "somefile")
+	dataToBeWrittenInFile := []byte{0, 1, 2, 3}
+	tempFile.Write(dataToBeWrittenInFile)
+	tempFile.Close()
+	symlinkFileName := tempFile.Name() + "symlink"
+	os.Symlink(tempFile.Name(), symlinkFileName)
+
+	readDataFromSymlinkUsingIoutilDotReadFile, _ := ioutil.ReadFile(symlinkFileName)
+	readDataFromSymlinkUsingSafeFileRead, _ := SafeReadFile(symlinkFileName)
+	os.Remove(symlinkFileName)
+	os.Remove(tempFile.Name())
+
+	assert.Equal(t, readDataFromSymlinkUsingIoutilDotReadFile, dataToBeWrittenInFile)
+	assert.Equal(t, []byte{}, readDataFromSymlinkUsingSafeFileRead)
+}