feat(usage-view): address security issues from linter

Signed-off-by: Michal Wasilewski <[email protected]>
spacelift-io · Jan 24, 2024 · b89d328 · b89d328
1 parent a4b3ac0
commit b89d328
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,5 @@ key.*
 *.asc
 
 completions
+
+*.csv
diff --git a/internal/cmd/profile/usage_view_csv_command.go b/internal/cmd/profile/usage_view_csv_command.go
@@ -7,6 +7,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
 
 	"github.com/urfave/cli/v2"
 
@@ -65,13 +66,13 @@ func usageViewCSVCommand() *cli.Command {
 			}
 
 			// save response to a file
-			var filename string
+			var filePath string
 			if !ctx.IsSet(flagUsageViewCSVFile.Name) {
-				filename = fmt.Sprintf("usage-%s-%s-%s.csv", args.aspect, args.since, args.until)
+				filePath = fmt.Sprintf("./usage-%s-%s-%s.csv", args.aspect, args.since, args.until)
 			} else {
-				filename = ctx.String(flagUsageViewCSVFile.Name)
+				filePath = filepath.Clean(ctx.String(flagUsageViewCSVFile.Name))
 			}
-			fd, err := os.OpenFile("./"+filename, os.O_CREATE|os.O_WRONLY|os.O_EXCL, 0644)
+			fd, err := os.OpenFile(filePath, os.O_CREATE|os.O_WRONLY|os.O_EXCL, 0600)
 			if err != nil {
 				return fmt.Errorf("failed to open a file descriptor: %w", err)
 			}
@@ -82,7 +83,7 @@ func usageViewCSVCommand() *cli.Command {
 			if err != nil {
 				return fmt.Errorf("failed to write the response to a file: %w", err)
 			}
-			log.Println("Usage data saved to", filename)
+			log.Println("Usage data saved to", filePath)
 			return nil
 		},
 	}