From bada84d8a811120a6e189e8f5be554ceb4861bf2 Mon Sep 17 00:00:00 2001
From: soulteary <soulteary@gmail.com>
Date: Sun, 23 Apr 2023 14:34:15 +0800
Subject: [PATCH] fix: Golang security checks by gosec #304

---
 internal/updater/updater.go | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/internal/updater/updater.go b/internal/updater/updater.go
index 7ecf1c2..fd7558c 100644
--- a/internal/updater/updater.go
+++ b/internal/updater/updater.go
@@ -77,7 +77,9 @@ func ScanFiles(rootDir string) ([]string, error) {
 		if info.IsDir() {
 			return nil
 		}
-		if strings.HasSuffix(path, ".conf") {
+
+		file := filepath.Clean(path)
+		if strings.HasPrefix(file, rootDir) && strings.HasSuffix(file, ".conf") {
 			_, err := os.ReadFile(path)
 			if err != nil {
 				return err
@@ -97,12 +99,18 @@ func UpdateConfInDir(rootDir string, outputDir string, indent int, indentChar st
 	if err != nil {
 		return err
 	}
-	for _, file := range files {
+	for _, src := range files {
+		file := filepath.Clean(src)
+		if !strings.HasPrefix(file, rootDir) {
+			continue
+		}
+
 		buf, err := os.ReadFile(file)
 		if err != nil {
 			fmt.Printf("Formatter Nginx Conf %s failed, can not open the file\n", err)
 			return err
 		}
+
 		modifiedData, err := fn(FixVars(FixReturn(EncodeEscapeChars(string(buf)))), indent, indentChar)
 		if err != nil {
 			fmt.Printf("Formatter Nginx Conf %s failed, can not format the file\n", err)