chore: comment no-lint on gosec for unsafe zip extracting (#20741)

2026-06-02 20:48:20 +00:00 · 2025-11-12 10:42:16 -06:00
parent 7c8deaf0d6
commit c47b437c12
1 changed files with 1 additions and 1 deletions
@@ -104,7 +104,7 @@ func (l Layout) ExtractArchive(ctx context.Context, logger slog.Logger, fs afero
 			return xerrors.Errorf("refusing to extract to non-local path")
 		}

-		// nolint: gosec // TODO: Use relative paths inside the workdir only.
+		// nolint: gosec // Safe to no-lint because the filepath.IsLocal check above.
 		headerPath := filepath.Join(l.WorkDirectory(), header.Name)
 		if !strings.HasPrefix(headerPath, filepath.Clean(l.WorkDirectory())) {
 			return xerrors.New("tar attempts to target relative upper directory")