Fix path traversal false positive in poutine output parsing (Alert #458) (#8802)

github-actions[bot] · web-flow · commit 8d1f356f820c · 2026-01-03T16:31:44.000-08:00
diff --git a/pkg/cli/poutine.go b/pkg/cli/poutine.go
@@ -441,6 +441,9 @@ func parseAndDisplayPoutineOutputForDirectory(stdout string, verbose bool, gitRo
 		}
 
 		// Read file content for context display
+		// #nosec G304 -- absPath is validated through: 1) filepath.Clean() normalization,
+		// 2) absolute path resolution, and 3) filepath.Rel() check ensuring it's within gitRoot
+		// (lines 414-441). Path traversal attacks are prevented by the boundary validation.
 		fileContent, err := os.ReadFile(absPath)
 		var fileLines []string
 		if err == nil {

Original file line number	Diff line number	Diff line change
`@@ -441,6 +441,9 @@ func parseAndDisplayPoutineOutputForDirectory(stdout string, verbose bool, gitRo`
`441`	`441`	`}`
`442`	`442`
`443`	`443`	`// Read file content for context display`
	`444`	`+ // #nosec G304 -- absPath is validated through: 1) filepath.Clean() normalization,`
	`445`	`+ // 2) absolute path resolution, and 3) filepath.Rel() check ensuring it's within gitRoot`
	`446`	`+ // (lines 414-441). Path traversal attacks are prevented by the boundary validation.`
`444`	`447`	`fileContent, err := os.ReadFile(absPath)`
`445`	`448`	`var fileLines []string`
`446`	`449`	`if err == nil {`