From c47b437c127e20bcbe40b411d453855c508d581b Mon Sep 17 00:00:00 2001 From: Steven Masley Date: Wed, 12 Nov 2025 10:42:16 -0600 Subject: [PATCH] chore: comment no-lint on gosec for unsafe zip extracting (#20741) --- provisionersdk/tfpath/tfpath.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/provisionersdk/tfpath/tfpath.go b/provisionersdk/tfpath/tfpath.go index 57129e6242..8662a5f096 100644 --- a/provisionersdk/tfpath/tfpath.go +++ b/provisionersdk/tfpath/tfpath.go @@ -104,7 +104,7 @@ func (l Layout) ExtractArchive(ctx context.Context, logger slog.Logger, fs afero return xerrors.Errorf("refusing to extract to non-local path") } - // nolint: gosec // TODO: Use relative paths inside the workdir only. + // nolint: gosec // Safe to no-lint because the filepath.IsLocal check above. headerPath := filepath.Join(l.WorkDirectory(), header.Name) if !strings.HasPrefix(headerPath, filepath.Clean(l.WorkDirectory())) { return xerrors.New("tar attempts to target relative upper directory")