fix zip-slip noise in tests

[olegbespalov]

What?

This attempts to fix the "noise" from the security tab (CodeQL reported).

Why?

Fixing such cases helps us focus on the right things.

Checklist

• I have performed a self-review of my code.
• I have added tests for my changes.
• I have run linter locally (make lint) and all checks pass.
• I have run tests locally (make tests) and all tests pass.
• I have commented on my code, particularly in hard-to-understand areas.

Related PR(s)/Issue(s)

[codecov-commenter]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (1b478bb) 72.96% compared to head (00f789b) 72.94%.

❗ Current head 00f789b differs from pull request most recent head 4e2c93d. Consider uploading reports for the commit 4e2c93d to get more accurate results

Files	Patch %	Lines
lib/testutils/untar.go	50.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3586      +/-   ##
==========================================
- Coverage   72.96%   72.94%   -0.02%     
==========================================
  Files         280      280              
  Lines       20949    20952       +3     
==========================================
- Hits        15285    15283       -2     
- Misses       4693     4697       +4     
- Partials      971      972       +1     

Flag	Coverage Δ
macos	72.88% <50.00%> (?)
ubuntu	72.89% <50.00%> (-0.02%)	⬇️
windows	72.79% <50.00%> (-0.03%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mstoykov]

LGTM in general.

I don't think we have ever been fulnerable to this as this more or less only goes in memory, but I guess some shenanigans were still possible with ../https/hostname.com/path .. but I still have no idea why that will be useful 🤷

I personally do not want to touch code that plays with filepath as unfortunately it is quite ... funky with us having paths from windows but running on linux and vice-versa.

This seems to not break any tests, and given that filepath.Join already does Clean (which is by far the thing that IIRC breaks most stuff) - hopefully nothing new will break 🤞

[mstoykov]

nit: Pretty sure there is no need to call Clean before Join

[olegbespalov]

Having no filepath.Clean here will trigger golang-ci lint (see the omitting lines).

[olegbespalov]

First, I share with you the opinion that the code is not vulnerable for the reasons you mention (like in memory).

but I still have no idea why that will be useful 🤷

Still, the primary purpose of doing this for me is to fix the Security tab noise. I'd like to have these 0 issues as the standard state. And if something appears there, it's a signal for checking. And for sure, I don't want to make calculations like there are two known, so when it will be 3, I need to check. Using the simple flow, 0, or anything else is better.

Now, we have two options to reach this state: omit it inline or try fixing it. In choosing between these two options, I feel that it's worth trying to go with the fixing first instead of just omitting inline.