fixing the security scanning warnings

nikhil2611 · nikhil2611 · commit b9c96b411a30 · 2025-05-06T11:29:39.000+05:30
Signed-off-by: nikhil2611 &lt;nikhilgupta2102@gmail.com&gt;
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -10,6 +10,9 @@ name: lint
       - 17-stable
       - 16-stable
 
+permissions:
+  contents: read
+
 jobs:
   chefstyle:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
@@ -9,6 +9,9 @@ on:
       - 'release/**'
   pull_request:
       types: [opened, synchronize, reopened]
+
+permissions:
+  contents: read
  
 jobs:
   sonarqube:
diff --git a/lib/ohai/loader.rb b/lib/ohai/loader.rb
@@ -100,7 +100,7 @@ def load_plugin_class(plugin_path)
       contents = ""
       begin
         logger.trace("Loading plugin at #{plugin_path}")
-        contents << IO.read(plugin_path)
+        contents << File.read(plugin_path)
       rescue IOError, Errno::ENOENT
         logger.warn("Unable to open or read plugin at #{plugin_path}")
         return nil
diff --git a/lib/ohai/mixin/ec2_metadata.rb b/lib/ohai/mixin/ec2_metadata.rb
@@ -248,10 +248,11 @@ def fetch_dynamic_data
       private
 
       def expand_path(file_name)
-        path = file_name.gsub(/\=.*$/, "/")
+        # Replace '=' only at the start of the string and avoid excessive backtracking
+        path = file_name.sub(/^=+/, "/")
         # ignore "./" and "../"
-        path.gsub(%r{/\.\.?(?:/|$)}, "/")
-          .sub(%r{^\.\.?(?:/|$)}, "")
+        path.gsub(%r{\/\.\.?(?:\/|$)}, "/")
+          .sub(%r{^\.\.?(?:\/|$)}, "")
           .sub(/^$/, "/")
       end
 
