fix sec

pkg/repository/repository.go

@@ -182,7 +182,7 @@ func (l *LazyRepository) WriteBlob(ID Identifier) (io.Writer, error) {
 	path := l.DataPath(ID)
 
 	slog.Debug("loading write buffer...", "id", ID)
-	dst, err := os.OpenFile(filepath.Join(path, "data.tar.gz"), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+	dst, err := os.OpenFile(filepath.Clean(filepath.Join(path, "data.tar.gz")), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open destination file: %w", err)
 	}
@@ -195,7 +195,7 @@ func (l *LazyRepository) WriteMetadata(id GameIdentifier, m Metadata) error {
 	path := l.DataPath(id)
 
 	slog.Debug("writing metadata", "id", id, "metadata", m)
-	dst, err := os.OpenFile(filepath.Join(path, "metadata.json"), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+	dst, err := os.OpenFile(filepath.Clean(filepath.Join(path, "metadata.json")), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to open destination file: %w", err)
 	}
@@ -213,7 +213,7 @@ func (l *LazyRepository) Metadata(id GameIdentifier) (Metadata, error) {
 	path := l.DataPath(id)
 
 	slog.Debug("loading metadata", "id", id)
-	src, err := os.OpenFile(filepath.Join(path, "metadata.json"), os.O_RDONLY, 0)
+	src, err := os.OpenFile(filepath.Clean(filepath.Join(path, "metadata.json")), os.O_RDONLY, 0)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return Metadata{}, ErrNotFound
@@ -272,7 +272,7 @@ func (l *LazyRepository) Backup(id BackupIdentifier) (Backup, error) {
 func (l *LazyRepository) LastScan(id GameIdentifier) (time.Time, error) {
 	path := l.DataPath(id)
 
-	data, err := os.ReadFile(filepath.Join(path, ".last_run"))
+	data, err := os.ReadFile(filepath.Clean(filepath.Join(path, ".last_run")))
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return time.Time{}, nil
@@ -292,7 +292,7 @@ func (l *LazyRepository) ResetLastScan(id GameIdentifier) error {
 	path := l.DataPath(id)
 
 	slog.Debug("resetting last scan datetime for", "id", id)
-	f, err := os.OpenFile(filepath.Join(path, ".last_run"), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+	f, err := os.OpenFile(filepath.Clean(filepath.Join(path, ".last_run")), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to open file: %w", err)
 	}
@@ -311,7 +311,7 @@ func (l *LazyRepository) ReadBlob(id Identifier) (io.ReadSeekCloser, error) {
 	path := l.DataPath(id)
 
 	slog.Debug("loading read buffer...", "id", id)
-	dst, err := os.OpenFile(filepath.Join(path, "data.tar.gz"), os.O_RDONLY, 0)
+	dst, err := os.OpenFile(filepath.Clean(filepath.Join(path, "data.tar.gz")), os.O_RDONLY, 0)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return nil, fmt.Errorf("failed to open blob: %w", ErrNotFound)
@@ -325,7 +325,7 @@ func (l *LazyRepository) ReadBlob(id Identifier) (io.ReadSeekCloser, error) {
 func (l *LazyRepository) SetRemote(id GameIdentifier, url string) error {
 	path := l.DataPath(id)
 
-	src, err := os.OpenFile(filepath.Join(path, "remote.json"), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
+	src, err := os.OpenFile(filepath.Clean(filepath.Join(path, "remote.json")), os.O_CREATE|os.O_TRUNC|os.O_WRONLY, 0600)
 	if err != nil {
 		return fmt.Errorf("failed to open remote description: %w", err)
 	}
@@ -345,7 +345,7 @@ func (l *LazyRepository) SetRemote(id GameIdentifier, url string) error {
 func (l *LazyRepository) Remote(id GameIdentifier) (*Remote, error) {
 	path := l.DataPath(id)
 
-	src, err := os.OpenFile(filepath.Join(path, "remote.json"), os.O_RDONLY, 0)
+	src, err := os.OpenFile(filepath.Clean(filepath.Join(path, "remote.json")), os.O_RDONLY, 0)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			return nil, nil