🐞 fix: avoid security risk by not using command directly

maxisam · Dec 14, 2023 · b896cdc · b896cdc
1 parent 55b783f
commit b896cdc
Showing 1 changed file with 20 additions and 7 deletions.
diff --git a/pkg/backup/local.go b/pkg/backup/local.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"sort"
 	"strings"
 	"time"
 
@@ -144,16 +145,28 @@ func logToFile(file string, data []byte) error {
 }
 
 func applyRetention(path string, retention int) error {
-	gz := fmt.Sprintf("cd %v && rm -f $(ls -1t *.gz *.gz.encrypted | tail -n +%v)", path, retention+1)
-	err := sh.Command("/bin/sh", "-c", gz).Run()
-	if err != nil {
+	// Function to delete files based on retention policy
+	deleteFiles := func(pattern string) error {
+		files, err := filepath.Glob(filepath.Join(path, pattern))
+		if err != nil {
+			return err
+		}
+		sort.Sort(sort.Reverse(sort.StringSlice(files)))
+		for _, file := range files[retention:] {
+			if err := os.Remove(file); err != nil {
+				return err
+			}
+		}
+		return nil
+	}
+
+	log.Debug("applying retention to *.gz* files")
+	if err := deleteFiles("*.gz*"); err != nil {
 		return errors.Wrapf(err, "removing old gz files from %v failed", path)
 	}
 
-	log.Debug("apply retention")
-	log := fmt.Sprintf("cd %v && rm -f $(ls -1t *.log | tail -n +%v)", path, retention+1)
-	err = sh.Command("/bin/sh", "-c", log).Run()
-	if err != nil {
+	log.Debug("applying retention to *.log files")
+	if err := deleteFiles("*.log"); err != nil {
 		return errors.Wrapf(err, "removing old log files from %v failed", path)
 	}