@@ -33,6 +33,10 @@ type ErrInvalidPath struct {
3333 errors.WrappableError
3434}
3535
36+ // PathIsUnderCurrentDirectory checks whether the `path`
37+ // is under the current working directory. Examples:
38+ // ./file, ./some/path, ../<cwd>.file would return `nil`.
39+ // `../etc/password` would return an error.
3640func PathIsUnderCurrentDirectory (path string ) error {
3741 wd , err := os .Getwd ()
3842 if err != nil {
@@ -51,6 +55,9 @@ func PathIsUnderCurrentDirectory(path string) error {
5155 return nil
5256}
5357
58+ // VerifyAttestationPath verifies that the path of an attestation
59+ // is valid. It checks that the path is under the current working directory
60+ // and that the extension of the file is `intoto.jsonl`.
5461func VerifyAttestationPath (path string ) error {
5562 if ! strings .HasSuffix (path , "intoto.jsonl" ) {
5663 return errors .Errorf (& ErrInvalidPath {}, "invalid suffix: %q. Must be .intoto.jsonl" , path )
@@ -61,6 +68,9 @@ func VerifyAttestationPath(path string) error {
6168 return nil
6269}
6370
71+ // CreateNewFileUnderCurrentDirectory create a new file under the current directory
72+ // and fails if the file already exists. The file is always created with the pemisisons
73+ // `0o600`.
6474func CreateNewFileUnderCurrentDirectory (path string , flag int ) (io.Writer , error ) {
6575 if path == "-" {
6676 return os .Stdout , nil
@@ -71,5 +81,10 @@ func CreateNewFileUnderCurrentDirectory(path string, flag int) (io.Writer, error
7181 }
7282
7383 // Ensure we never overwrite an existing file.
74- return os .OpenFile (filepath .Clean (path ), flag | os .O_CREATE | os .O_EXCL , 0o600 )
84+ fp , err := os .OpenFile (filepath .Clean (path ), flag | os .O_CREATE | os .O_EXCL , 0o600 )
85+ if err != nil {
86+ return nil , errors .Errorf (& ErrInternal {}, "os.OpenFile(): %v" , err )
87+ }
88+
89+ return fp , nil
7590}
0 commit comments