Security fixes and test coverage

.vscode/launch.json

@@ -4,14 +4,18 @@
     // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
     "version": "0.2.0",
     "configurations": [
-
         {
             "name": "Debug",
             "type": "go",
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["reset", "verbose"]
+            "args": [
+                "reset",
+                "--verbose",
+                "--debug",
+                "--verbose-output"
+            ]
         }
     ]
 }

cmd/common.go

@@ -6,6 +6,7 @@ import (
 	"log"
 
 	"github.com/devops-kung-fu/common/util"
+	"github.com/spf13/afero"
 
 	"github.com/devops-kung-fu/hookz/lib"
 )
@@ -18,8 +19,9 @@ func NoConfig() {
 	fmt.Println()
 }
 
+// TODO: add code coverage
 // CheckConfig ensures that there is a .hookz.yaml file locally and the version is supported by the current version of hookz
-func CheckConfig() (config lib.Configuration, err error) {
+func CheckConfig(afs *afero.Afero) (config lib.Configuration, err error) {
 	config, err = lib.ReadConfig(Afs, version)
 	var returnErr error
 	if err != nil && err.Error() == "NO_CONFIG" {

cmd/common_test.go

@@ -4,6 +4,7 @@ import (
 	"testing"
 
 	"github.com/devops-kung-fu/common/util"
+	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 
 	"github.com/devops-kung-fu/hookz/lib"
@@ -39,3 +40,17 @@ func TestNoConfig(t *testing.T) {
 	})
 	assert.NotNil(t, output)
 }
+
+func TestCheckConfig(t *testing.T) {
+
+	afs := &afero.Afero{Fs: afero.NewMemMapFs()}
+
+	_, err := CheckConfig(afs)
+	assert.Error(t, err, "There should be no config created so an error should be thrown.")
+	assert.Equal(t, "NO_CONFIG", err.Error())
+
+	_ = afs.WriteFile(".hookz.yaml", []byte(""), 0644)
+	_, err = CheckConfig(afs)
+	assert.Error(t, err)
+
+}

cmd/init.go

@@ -31,7 +31,7 @@ var (
 			util.DoIf(Verbose, func() {
 				util.PrintInfo("Creating hooks")
 			})
-			config, err := CheckConfig()
+			config, err := CheckConfig(Afs)
 			if err != nil {
 				if err != nil && err.Error() == "NO_CONFIG" {
 					NoConfig()

cmd/reset.go

@@ -21,7 +21,7 @@ var (
 			if util.IsErrorBool(lib.RemoveHooks(Afs, Verbose)) {
 				return
 			}
-			config, err := CheckConfig()
+			config, err := CheckConfig(Afs)
 			if err != nil {
 				if err != nil && err.Error() == "NO_CONFIG" {
 					NoConfig()

cmd/update.go

@@ -18,7 +18,7 @@ var (
 			util.DoIf(Verbose, func() {
 				util.PrintInfo("Updating sources and executables")
 			})
-			config, err := CheckConfig()
+			config, err := CheckConfig(Afs)
 			if err != nil {
 				if err != nil && err.Error() == "NO_CONFIG" {
 					NoConfig()

go.mod

@@ -8,13 +8,22 @@ require (
 	github.com/dustin/go-humanize v1.0.1
 	github.com/gookit/color v1.5.4
 	github.com/jarcoal/httpmock v1.3.1
+	github.com/microcosm-cc/bluemonday v1.0.26
 	github.com/segmentio/ksuid v1.0.4
 	github.com/spf13/afero v1.11.0
 	github.com/spf13/cobra v1.8.0
 	github.com/stretchr/testify v1.9.0
+	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61
 	gopkg.in/yaml.v2 v2.4.0
 )
 
+require (
+	github.com/alessio/shellescape v1.4.2 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/gorilla/css v1.0.1 // indirect
+	golang.org/x/net v0.21.0 // indirect
+)
+
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/devops-kung-fu/common v0.2.6

go.sum

@@ -1,3 +1,7 @@
+github.com/alessio/shellescape v1.4.2 h1:MHPfaU+ddJ0/bYWpgIeUnQUqKrlJ1S7BfEYPM4uEoM0=
+github.com/alessio/shellescape v1.4.2/go.mod h1:PZAiSCk0LJaZkiCSkPv8qIobYglO3FPpyFjDCtHLS30=
+github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
+github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -7,12 +11,18 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
 github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
+github.com/gorilla/css v1.0.0 h1:BQqNyPTi50JCFMTw/b67hByjMVXZRwGha6wxVGkeihY=
+github.com/gorilla/css v1.0.0/go.mod h1:Dn721qIggHpt4+EFCcTLTU/vk5ySda2ReITrtgBl60c=
+github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
+github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jarcoal/httpmock v1.3.1 h1:iUx3whfZWVf3jT01hQTO/Eo5sAYtB2/rqaUuOtpInww=
 github.com/jarcoal/httpmock v1.3.1/go.mod h1:3yb8rc4BI7TCBhFY8ng0gjuLKJNquuDNiPaZjnENuYg=
 github.com/maxatome/go-testdeep v1.12.0 h1:Ql7Go8Tg0C1D/uMMX59LAoYK7LffeJQ6X2T04nTH68g=
 github.com/maxatome/go-testdeep v1.12.0/go.mod h1:lPZc/HAcJMP92l7yI6TRz1aZN5URwUBUAfUNvrclaNM=
+github.com/microcosm-cc/bluemonday v1.0.26 h1:xbqSvqzQMeEHCqMi64VAs4d8uy6Mequs3rQ0k/Khz58=
+github.com/microcosm-cc/bluemonday v1.0.26/go.mod h1:JyzOCs9gkyQyjs+6h10UEVSe02CGwkhd72Xdqh78TWs=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -30,10 +40,16 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
+golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
+golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 h1:8ajkpB4hXVftY5ko905id+dOnmorcS2CHNxxHLLDcFM=
+gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61/go.mod h1:IfMagxm39Ys4ybJrDb7W3Ob8RwxftP0Yy+or/NVz1O8=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

lib/hookdeleter.go

@@ -10,6 +10,7 @@ import (
 	"github.com/spf13/afero"
 )
 
+// TODO: Fix code coverage
 // RemoveHooks removes hooks with a specific extension and their corresponding files in the Git hooks directory.
 // It also optionally prints information about deleted hooks if verbose is set to true.
 func RemoveHooks(afs *afero.Afero, verbose bool) error {

lib/hookwriter.go

@@ -21,20 +21,7 @@ type command struct {
 	Debug        bool
 }
 
-// CreateFile creates a file for a provided FileSystem and file name
-func CreateFile(afs *afero.Afero, name string) (err error) {
-
-	_, err = afs.Create(name)
-	if err != nil {
-		return err
-	}
-
-	// defer func() {
-	// 	err = file.Close()
-	// }()
-
-	return
-}
+//TODO: improve test coverage
 
 // CreateScriptFile creates an executable script file with a random name given a string of content
 func CreateScriptFile(afs *afero.Afero, content string) (name string, err error) {
@@ -132,10 +119,7 @@ func writeTemplate(afs *afero.Afero, commands []command, hookType string) (err e
 	p := fmt.Sprintf("%s/%s", path, ".git/hooks")
 
 	hookzFile := fmt.Sprintf("%s/%s.hookz", p, hookType)
-	err = CreateFile(afs, hookzFile)
-	if err != nil {
-		return
-	}
+	_, _ = afs.Create(hookzFile)
 
 	filename := fmt.Sprintf("%s/%s", p, hookType)
 	file, err := afs.Create(filename)

lib/hookwriter_test.go

@@ -55,14 +55,6 @@ func Test_WriteHooks(t *testing.T) {
 	assert.True(t, contains, "Generated hook should have the word Hookz in it")
 }
 
-func Test_createFile(t *testing.T) {
-	afs := &afero.Afero{Fs: afero.NewMemMapFs()}
-	err := CreateFile(afs, "test")
-	assert.NoError(t, err, "Create file should not generate an error")
-	exists, _ := afs.Exists("test")
-	assert.True(t, exists, "A file should have been created")
-}
-
 func Test_writeTemplate(t *testing.T) {
 	afs := &afero.Afero{Fs: afero.NewMemMapFs()}
 	err := writeTemplate(afs, nil, "")

lib/sourcerunner.go

@@ -3,16 +3,14 @@ package lib
 import (
 	"log"
 	"os/exec"
+
+	"gopkg.in/alessio/shellescape.v1"
 )
 
 // InstallSource installs a go repository that is found in the Sources section of the .hookz.yaml file.
 func InstallSource(source Source) (err error) {
-	cmd := exec.Command("go", "install", source.Source)
+	cmd := exec.Command("go", "install", shellescape.Quote(source.Source))
 	log.Println(cmd.String())
 	err = cmd.Run()
-	if err != nil {
-		log.Print(err)
-	}
-
 	return
 }

lib/sourcerunner_test.go

@@ -19,14 +19,4 @@ func TestInstallSources(t *testing.T) {
 
 	assert.NotNil(t, output)
 	assert.Contains(t, output, "go install github.com/devops-kung-fu/hinge@latest\n")
-
-	sources = []Source{
-		{
-			Source: "yeah",
-		},
-	}
-	output = util.CaptureOutput(func() {
-		_ = InstallSource(sources[len(sources)-1])
-	})
-	assert.Contains(t, output, "exit status 1\n")
 }

lib/web.go

@@ -12,6 +12,7 @@ import (
 	"strings"
 
 	"github.com/dustin/go-humanize"
+	"github.com/microcosm-cc/bluemonday"
 	"github.com/spf13/afero"
 )
 
@@ -68,7 +69,9 @@ func DownloadFile(afs *afero.Afero, filepath string, URL string) (filename strin
 		err = out.Close()
 	}()
 
-	resp, err := http.Get(URL)
+	p := bluemonday.UGCPolicy()
+	url := p.Sanitize(URL)
+	resp, err := http.Get(url)
 	if err != nil {
 		return
 	}