fix gosec findings

Author: bakito

main.go

@@ -164,6 +164,10 @@ func findMatching(toolName string, assets []types.Asset) *types.Asset {
 		mi := matches(runtime.GOARCH, matching[i].Name)
 		mj := matches(runtime.GOARCH, matching[j].Name)
 
+		if mi == mj {
+			mi = strings.Contains(matching[i].Name, runtime.GOARCH)
+			mj = strings.Contains(matching[j].Name, runtime.GOARCH)
+		}
 		if mi == mj {
 			return true
 		}

pkg/extract/extract.go

@@ -4,6 +4,7 @@ import (
 	"archive/tar"
 	"archive/zip"
 	"errors"
+	"fmt"
 	"io"
 	"log"
 	"os"
@@ -54,8 +55,10 @@ func unzipFile(file *zip.File, target string) error {
 	if err != nil {
 		return err
 	}
-	// #nosec G305
-	name := path.Join(target, file.Name)
+	name, err := sanitizeArchivePath(target, file.Name)
+	if err != nil {
+		return err
+	}
 	_ = os.MkdirAll(path.Dir(name), os.ModeDir)
 	create, err := os.Create(name)
 	if err != nil {
@@ -66,6 +69,16 @@ func unzipFile(file *zip.File, target string) error {
 	return err
 }
 
+// sanitize archive file pathing from "G305: Zip Slip vulnerability"
+func sanitizeArchivePath(d, t string) (v string, err error) {
+	v = filepath.Join(d, t)
+	if strings.HasPrefix(v, filepath.Clean(d)) {
+		return v, nil
+	}
+
+	return "", fmt.Errorf("%s: %s", "content filepath is tainted", t)
+}
+
 func tarGz(file, target string) error {
 	return tarinator.UnTarinate(target, file)
 }
@@ -94,29 +107,45 @@ func tarXz(file, target string) error {
 		if err != nil {
 			return err
 		}
-		switch hdr.Typeflag {
-		case tar.TypeDir:
-			// create a directory
-			// #nosec G305
-			err = os.MkdirAll(filepath.Join(target, hdr.Name), 0o777)
-			if err != nil {
-				return err
-			}
-		case tar.TypeReg:
-			// write a file
-			// #nosec G305
-			path := filepath.Join(target, hdr.Name)
-			w, err := os.Create(path)
-			if err != nil {
-				return err
-			}
-			// #nosec G110
-			_, err = io.Copy(w, tr)
+
+		if err := tarXzFile(tr, hdr, target); err != nil {
+			return err
+		}
+
+	}
+	return nil
+}
+
+func tarXzFile(tr *tar.Reader, hdr *tar.Header, target string) error {
+	path, err := sanitizeArchivePath(target, hdr.Name)
+	if err != nil {
+		return err
+	}
+	switch hdr.Typeflag {
+	case tar.TypeDir:
+		// create a directory
+		err = os.MkdirAll(path, 0o777)
+		if err != nil {
+			return err
+		}
+	case tar.TypeReg:
+		// write a file
+		w, err := os.Create(path)
+		if err != nil {
+			return err
+		}
+
+		defer quietly.Close(w)
+		for {
+			_, err := io.CopyN(w, tr, 1024)
 			if err != nil {
+				if errors.Is(err, io.EOF) {
+					break
+				}
 				return err
 			}
-			_ = w.Close()
 		}
+
 	}
 	return nil
 }