mirrors/Mole
1
0
Fork 0
mirror of https://github.com/tw93/Mole.git synced 2026-03-24 01:30:07 +00:00
Code Activity

security: fix CodeQL command injection and path traversal alerts

Browse Source 
- Add validatePath() helper to check path safety before external commands
- Validate paths in delete.go (moveToTrash), scanner.go (mdfind, du),
  and main.go (open command)
- Remove overly restrictive character whitelist that rejected valid
  macOS paths (Chinese, emoji, $, ;, etc.)
- Unify path validation logic across all three files

Fixes CodeQL alerts:
- Command injection in osascript (delete.go)
- Command injection in mdfind/du (scanner.go)
- Path traversal in open command (main.go)
This commit is contained in:
Tw93
2026-03-14 08:24:08 +08:00
parent f6acfa774c
commit 951e395ab7
3 changed files with 67 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
cmd/analyze/scanner.go
View File

@@ -409,6 +409,16 @@ func calculateDirSizeFast(root string, filesScanned, dirsScanned, bytesScanned *
// Use Spotlight (mdfind) to quickly find large files.
func findLargeFilesWithSpotlight(root string, minSize int64) []fileEntry {
// Validate root path.
if err := validatePath(root); err != nil {
return nil
}
// Validate minSize is reasonable (non-negative and not excessively large).
if minSize < 0 || minSize > 1<<50 { // 1 PB max
return nil
}
query := fmt.Sprintf("kMDItemFSSize >= %d", minSize)
ctx, cancel := context.WithTimeout(context.Background(), mdlsTimeout)
@@ -635,6 +645,16 @@ func getDirectorySizeFromDu(path string) (int64, error) {
}
func getDirectorySizeFromDuWithExclude(path string, excludePath string) (int64, error) {
// Validate paths.
if err := validatePath(path); err != nil {
return 0, err
}
if excludePath != "" {
if err := validatePath(excludePath); err != nil {
return 0, err
}
}
runDuSize := func(target string) (int64, error) {
if _, err := os.Stat(target); err != nil {
return 0, err