thediveo
diff --git a/‎.github/workflows/buildandtest.yaml
Lines changed: 8 additions & 5 deletions b/‎.github/workflows/buildandtest.yaml
Lines changed: 8 additions & 5 deletions
diff --git a/‎.github/workflows/codeql-analysis.yaml
Lines changed: 39 additions & 0 deletions b/‎.github/workflows/codeql-analysis.yaml
Lines changed: 39 additions & 0 deletions
diff --git a/‎.github/workflows/codeql-analysis.yml
Lines changed: 0 additions & 67 deletions b/‎.github/workflows/codeql-analysis.yml
Lines changed: 0 additions & 67 deletions
diff --git a/‎Makefile
Lines changed: 8 additions & 2 deletions b/‎Makefile
Lines changed: 8 additions & 2 deletions
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎doc.go
Lines changed: 0 additions & 2 deletions b/‎doc.go
Lines changed: 0 additions & 2 deletions
diff --git a/‎evalsymlink.go
Lines changed: 4 additions & 5 deletions b/‎evalsymlink.go
Lines changed: 4 additions & 5 deletions
diff --git a/‎evalsymlink_test.go
Lines changed: 49 additions & 9 deletions b/‎evalsymlink_test.go
Lines changed: 49 additions & 9 deletions
diff --git a/‎go.mod
Lines changed: 18 additions & 4 deletions b/‎go.mod
Lines changed: 18 additions & 4 deletions
@@ -2,7 +2,11 @@ name: build and test
 on:
   push:
     branches:
-    - master
+      - master
+  pull_request:
+    branches:
+      - master
+      - develop
 
 jobs:
 
@@ -11,18 +15,17 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ '1.19', '1.20' ]
+        go: [ 'stable', 'oldstable' ]
     steps:
 
       - name: Set up Go ${{matrix.go}}
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # pin@v3
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # pin@v4
         with:
           go-version: ${{matrix.go}}
         id: go
 
       - name: Check out code into the Go module directory
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # pin@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
 
       - name: Test
         run: go test -v -p=1 -race ./...
-        
 
@@ -0,0 +1,39 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '02 42 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    permissions:
+      actions: read # for github/codeql-action/init to get workflow details
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/analyze to upload SARIF results
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # pin@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # pin@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # pin@v2
@@ -1,4 +1,4 @@
-.PHONY: help clean pkgsite report test
+.PHONY: help clean coverage pkgsite report test vuln grype
 
 help: ## list available targets
 	@# Shamelessly stolen from Gomega's Makefile
@@ -18,4 +18,10 @@ report: ## run goreportcard on this module
 	@scripts/goreportcard.sh
 
 test: ## run unit tests
-	go test -v -p=1 -race ./...
+	go test -v -count=1 -p=1 -race ./...
+
+vuln: ## run go vulnerabilities check
+	@scripts/vuln.sh
+
+grype: ## run grype vul scan on sources
+	@scripts/grype.sh
@@ -4,7 +4,7 @@
 [![GitHub](https://img.shields.io/github/license/thediveo/procfsroot)](https://img.shields.io/github/license/thediveo/procfsroot)
 ![build and test](https://github.com/thediveo/procfsroot/workflows/build%20and%20test/badge.svg?branch=master)
 [![Go Report Card](https://goreportcard.com/badge/github.com/thediveo/procfsroot)](https://goreportcard.com/report/github.com/thediveo/procfsroot)
-![Coverage](https://img.shields.io/badge/Coverage-96.8%25-brightgreen)
+![Coverage](https://img.shields.io/badge/Coverage-96.9%25-brightgreen)
 
 `procfsroot` is a small Go module that helps with accessing file system paths
 containing absolute symbolic links that are to be taken relative (sic!) to a
 
@@ -1,12 +1,10 @@
 /*
-
 Package procfsroot helps with accessing file system paths containing absolute
 symbolic links that are to be taken relative (sic!) to a particular root path.
 
 A typical use case is accessing paths inside /proc/[PID]/root "wormholes" in the
 proc file system. Symbolic links are properly resolved and kept inside a given
 root path, prohibiting rogue relative symbolic links from breaking out of, for
 example, a procfs /proc/[PID]/root "wormhole".
-
 */
 package procfsroot
@@ -16,7 +16,7 @@ package procfsroot
 
 import (
 	"errors"
-	"os"
+	"io/fs"
 	"path"
 	"syscall"
 )
@@ -117,12 +117,11 @@ func EvalSymlinks(abspath, root string, pathhandling EvalSymlinkPathHandling) (s
 			break
 		}
 		wormpath := root + dest
-		stat, err := os.Lstat(wormpath)
+		stat, err := slinker.Lstat(wormpath)
 		if err != nil {
 			return "", err
 		}
-		// For compatibility with pre-1.16 use "os" instead of "fs"
-		if stat.Mode()&os.ModeSymlink == 0 {
+		if stat.Mode()&fs.ModeSymlink == 0 {
 			// Phew, ain't no symlink, so to ensure that -- with the exception
 			// of the final component -- all other components are directories,
 			// we check this path component if necessary.
@@ -138,7 +137,7 @@ func EvalSymlinks(abspath, root string, pathhandling EvalSymlinkPathHandling) (s
 		if jumps > 255 {
 			return "", errors.New("procfsroot.EvalSymlinks: too many symlinks")
 		}
-		link, err := os.Readlink(wormpath)
+		link, err := slinker.Readlink(wormpath)
 		if err != nil {
 			return "", err
 		}
 
@@ -15,15 +15,62 @@
 package procfsroot
 
 import (
+	"os"
 	"strings"
 
+	"github.com/spf13/afero"
+
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+	. "github.com/thediveo/success"
 )
 
-const fsroot = "./test/root"
+const fsroot = "/root" // ...somewhere inside our temporary testing directory
+
+func createFile(fs afero.Fs, name string, contents string) {
+	GinkgoHelper()
+	f := Successful(fs.Create(name))
+	defer f.Close()
+	Expect(f.WriteString(contents)).Error().NotTo(HaveOccurred())
+}
+
+var _ = Describe("evil symlink chasing", Ordered, func() {
+
+	BeforeAll(func() {
+		oldslinker := slinker
+		DeferCleanup(func() { slinker = oldslinker })
+
+		tmpDir := Successful(os.MkdirTemp("", "test-evilsymlink-"))
+		DeferCleanup(func() {
+			Expect(os.RemoveAll(tmpDir)).To(Succeed())
+		})
+
+		testfs := afero.NewBasePathFs(afero.NewOsFs(), tmpDir)
+		slinker = &aferoSymlinker{testfs}
+
+		createFile(testfs, "/outofreach.txt", "This file must off-limits for symlinks inside /root")
+
+		Expect(testfs.MkdirAll(fsroot+"/a", 0770)).To(Succeed())
+		createFile(testfs, fsroot+"/a/b.txt", "just some text")
+		Expect(testfs.MkdirAll(fsroot+"/a/d", 0770)).To(Succeed())
+		createFile(testfs, fsroot+"/a/d/dummy.txt", "better than .gitkeep")
 
-var _ = Describe("evil symlink chasing", func() {
+		// Hack around afero.BasePathFs trying to make relative symlinks
+		// absolute ... something we absolutely don't need here.
+		Expect(os.Symlink("a/b.txt",
+			Successful(testfs.(*afero.BasePathFs).RealPath(fsroot+"/relsymlink")))).
+			To(Succeed())
+
+		Expect(testfs.MkdirAll(fsroot+"/unrooter", 0770)).To(Succeed())
+		Expect(os.Symlink("../../outofreach.txt",
+			Successful(testfs.(*afero.BasePathFs).RealPath(fsroot+"/unrooter/tryingtoleavethebox")))).
+			To(Succeed())
+
+		Expect(testfs.MkdirAll("/proc/self", 0770)).To(Succeed())
+		Expect(os.Symlink("../..",
+			Successful(testfs.(*afero.BasePathFs).RealPath("/proc/self/root")))).
+			To(Succeed())
+	})
 
 	It("handles simple paths", func() {
 		p, err := EvalSymlinks("/a/b.txt", fsroot, EvalFullPath)
@@ -85,13 +132,6 @@ var _ = Describe("evil symlink chasing", func() {
 		p, err := EvalSymlinks("/relsymlink", fsroot, EvalFullPath)
 		Expect(err).NotTo(HaveOccurred())
 		Expect(p).To(Equal("/a/b.txt"))
-
-		p, err = EvalSymlinks("/var/run", "/", EvalFullPath)
-		Expect(err).NotTo(HaveOccurred())
-		Expect(p).To(Equal("/run"))
-
-		Expect(EvalSymlinks("/proc/foobar1/root", "/", EvalFullPath)).
-			Error().To(HaveOccurred())
 	})
 
 	It("stays inside the wormhole", func() {
 
@@ -1,9 +1,23 @@
 module github.com/thediveo/procfsroot
 
-go 1.16
+go 1.19
+
+require golang.org/x/net v0.17.0 // indirect
+
+require (
+	github.com/onsi/ginkgo/v2 v2.13.0
+	github.com/onsi/gomega v1.28.0
+	github.com/thediveo/success v1.0.1
+)
 
 require (
-	github.com/onsi/ginkgo v1.16.5 // indirect
-	github.com/onsi/ginkgo/v2 v2.9.0
-	github.com/onsi/gomega v1.27.3
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 // indirect
+	github.com/spf13/afero v1.10.0
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.12.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )