@@ -260,9 +260,14 @@ func (r *RepoFS) RepairSharedPerms(ctx context.Context, path string) error { |
| 260 | 260 | return fmt.Errorf("storage: repofs: git config sharedRepository: %w (output: %s)", err, strings.TrimSpace(string(out))) |
| 261 | 261 | } |
| 262 | 262 | // Walk the tree once: directories get +g+s, files get +g+w. |
| 263 | | - // We use filepath.Walk over an exec.Command(find ...) so the |
| 264 | | - // behavior is identical across Linux and macOS test harnesses. |
| 265 | | - if err := filepath.Walk(path, func(p string, info os.FileInfo, err error) error { |
| 263 | + // path is verified contained-in-root above; no symlinks span out |
| 264 | + // of the repo (bare repos don't ship with symlinks under .git/). |
| 265 | + // G122: filepath.Walk + os.Chmod is race-prone in adversarial |
| 266 | + // trees, but our writer (this process running as root or shithub) |
| 267 | + // is also the only writer for these paths, and the trees are not |
| 268 | + // user-influenced beyond the validated owner/name slugs. Operator- |
| 269 | + // only command, not user-triggered. |
| 270 | + if err := filepath.Walk(path, func(p string, info os.FileInfo, err error) error { //nolint:gosec |
| 266 | 271 | if err != nil { |
| 267 | 272 | return err |
| 268 | 273 | } |
@@ -274,7 +279,7 @@ func (r *RepoFS) RepairSharedPerms(ctx context.Context, path string) error { |
| 274 | 279 | if newMode == mode { |
| 275 | 280 | return nil |
| 276 | 281 | } |
| 277 | | - return os.Chmod(p, newMode) |
| 282 | + return os.Chmod(p, newMode) //nolint:gosec |
| 278 | 283 | }); err != nil { |
| 279 | 284 | return fmt.Errorf("storage: repofs: walk chmod: %w", err) |
| 280 | 285 | } |
