fix ValidateURI

cloudposse · Jan 21, 2025 · 4b3c662 · 4b3c662
1 parent d0490de
commit 4b3c662
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/internal/exec/go_getter_utils.go b/internal/exec/go_getter_utils.go
@@ -27,7 +27,11 @@ func ValidateURI(uri string) error {
 	if len(uri) > 2048 {
 		return fmt.Errorf("URI exceeds maximum length of 2048 characters")
 	}
-
+	// Add more validation as needed
+	// Validate URI format
+	if strings.Contains(uri, "..") {
+		return fmt.Errorf("URI cannot contain path traversal sequences")
+	}
 	if strings.Contains(uri, " ") {
 		return fmt.Errorf("URI cannot contain spaces")
 	}
@@ -57,7 +61,6 @@ func IsValidScheme(scheme string) bool {
 		"git":        true,
 		"ssh":        true,
 		"git::https": true,
-		"file":       true,
 	}
 	return validSchemes[scheme]
 }

diff --git a/internal/exec/vendor_utils.go b/internal/exec/vendor_utils.go
@@ -362,12 +362,14 @@ func ExecuteAtmosVendorInternal(
 		if err != nil {
 			return err
 		}
-		err = ValidateURI(uri)
-		if err != nil {
-			return err
-		}
 
 		useOciScheme, useLocalFileSystem, sourceIsLocalFile := determineSourceType(&uri, vendorConfigFilePath)
+		if !useLocalFileSystem {
+			err = ValidateURI(uri)
+			if err != nil {
+				return err
+			}
+		}
 
 		// Determine package type
 		var pType pkgType