chore: comment no-lint on gosec for unsafe zip extracting (#20741)

Emyrk · web-flow · commit c47b437c127e · 2025-11-12T10:42:16.000-06:00
diff --git a/provisionersdk/tfpath/tfpath.go b/provisionersdk/tfpath/tfpath.go
@@ -104,7 +104,7 @@ func (l Layout) ExtractArchive(ctx context.Context, logger slog.Logger, fs afero
 			return xerrors.Errorf("refusing to extract to non-local path")
 		}
 
-		// nolint: gosec // TODO: Use relative paths inside the workdir only.
+		// nolint: gosec // Safe to no-lint because the filepath.IsLocal check above.
 		headerPath := filepath.Join(l.WorkDirectory(), header.Name)
 		if !strings.HasPrefix(headerPath, filepath.Clean(l.WorkDirectory())) {
 			return xerrors.New("tar attempts to target relative upper directory")

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ func (l Layout) ExtractArchive(ctx context.Context, logger slog.Logger, fs afero`
`104`	`104`	`return xerrors.Errorf("refusing to extract to non-local path")`
`105`	`105`	`}`
`106`	`106`
`107`		`- // nolint: gosec // TODO: Use relative paths inside the workdir only.`
	`107`	`+ // nolint: gosec // Safe to no-lint because the filepath.IsLocal check above.`
`108`	`108`	`headerPath := filepath.Join(l.WorkDirectory(), header.Name)`
`109`	`109`	`if !strings.HasPrefix(headerPath, filepath.Clean(l.WorkDirectory())) {`
`110`	`110`	`return xerrors.New("tar attempts to target relative upper directory")`