[Issue #220] - dcRUSTy - Implement utility function wrapper for iouti…

…l.ReadFile which skips following symlink
thoughtworks · Aug 13, 2020 · c476ee4 · c476ee4
1 parent 76c87fa
commit c476ee4
Show file tree

Hide file tree

Showing 4 changed files with 59 additions and 4 deletions.
diff --git a/gitrepo/gitrepo.go b/gitrepo/gitrepo.go
@@ -3,13 +3,13 @@ package gitrepo
 import (
 	"fmt"
 	log "github.com/Sirupsen/logrus"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
 	"path/filepath"
 	"regexp"
 	"strings"
+	"talisman/utility"
 )
 
 //FilePath represents the absolute path of an added file
@@ -161,7 +161,7 @@ func NewScannerAddition(filePath string, commits []string, content []byte) Addit
 func (repo GitRepo) ReadRepoFile(fileName string) ([]byte, error) {
 	path := filepath.Join(repo.root, fileName)
 	log.Debugf("reading file %s", path)
-	return ioutil.ReadFile(path)
+	return utility.SafeReadFile(path)
 }
 
 //ReadRepoFileOrNothing returns the contents of the supplied relative filename by locating it in the git repo.

diff --git a/utility/sha_256_hasher.go b/utility/sha_256_hasher.go
@@ -3,7 +3,6 @@ package utility
 import (
 	"crypto/sha256"
 	"encoding/hex"
-	"io/ioutil"
 )
 
 type SHA256Hasher interface {
@@ -20,7 +19,7 @@ func (DefaultSHA256Hasher) CollectiveSHA256Hash(paths []string) string {
 		concatBytes := hashByte(&sbyte)
 		nameByte := []byte(path)
 		nameHash := hashByte(&nameByte)
-		fileBytes, _ := ioutil.ReadFile(path)
+		fileBytes, _ := SafeReadFile(path)
 		fileHash := hashByte(&fileBytes)
 		finHash = concatBytes + fileHash + nameHash
 	}

diff --git a/utility/utility.go b/utility/utility.go
@@ -2,6 +2,7 @@ package utility
 
 import (
 	"fmt"
+	log "github.com/Sirupsen/logrus"
 	"io"
 	"io/ioutil"
 	"os"
@@ -89,3 +90,19 @@ func Dir(src string, dst string) error {
 	}
 	return nil
 }
+
+func IsFileSymlink(path string) bool {
+	fileMetadata, err := os.Lstat(path)
+	if err != nil {
+		return false
+	}
+	return fileMetadata.Mode()&os.ModeSymlink != 0
+}
+
+func SafeReadFile(path string) ([]byte, error) {
+	if IsFileSymlink(path) {
+		log.Debug("Symlink was detected! Not following symlink ", path)
+		return []byte{}, nil
+	}
+	return ioutil.ReadFile(path)
+}
diff --git a/utility/utility_test.go b/utility/utility_test.go
@@ -0,0 +1,39 @@
+package utility
+
+import (
+	"github.com/stretchr/testify/assert"
+	"io/ioutil"
+	"os"
+	"testing"
+)
+
+func TestShouldReadNormalFileCorrectly(t *testing.T) {
+	tempFile, _ := ioutil.TempFile(os.TempDir(), "somefile")
+	dataToBeWrittenInFile := []byte{0, 1, 2, 3}
+	tempFile.Write(dataToBeWrittenInFile)
+	tempFile.Close()
+
+	readDataFromFileUsingIoutilDotReadFile, _ := ioutil.ReadFile(tempFile.Name())
+	readDataFromFileUsingSafeFileRead, _ := SafeReadFile(tempFile.Name())
+	os.Remove(tempFile.Name())
+
+	assert.Equal(t, readDataFromFileUsingIoutilDotReadFile, dataToBeWrittenInFile)
+	assert.Equal(t, readDataFromFileUsingSafeFileRead, dataToBeWrittenInFile)
+}
+
+func TestShouldNotReadSymbolicLinkTargetFile(t *testing.T) {
+	tempFile, _ := ioutil.TempFile(os.TempDir(), "somefile")
+	dataToBeWrittenInFile := []byte{0, 1, 2, 3}
+	tempFile.Write(dataToBeWrittenInFile)
+	tempFile.Close()
+	symlinkFileName := tempFile.Name() + "symlink"
+	os.Symlink(tempFile.Name(), symlinkFileName)
+
+	readDataFromSymlinkUsingIoutilDotReadFile, _ := ioutil.ReadFile(symlinkFileName)
+	readDataFromSymlinkUsingSafeFileRead, _ := SafeReadFile(symlinkFileName)
+	os.Remove(symlinkFileName)
+	os.Remove(tempFile.Name())
+
+	assert.Equal(t, readDataFromSymlinkUsingIoutilDotReadFile, dataToBeWrittenInFile)
+	assert.Equal(t, readDataFromSymlinkUsingSafeFileRead, []byte{})
+}