Vulnerability Fix

[Jdubrick]

Please specify the area for this PR
Vulnerability fixes

What does does this PR do / why we need it:
This PR aims to add a fix that ensures no malicious files can be added to an archive.tar file that is being read. Currently the filepath.Join and filepath.Clean functions are not properly accounting for paths added in a relative fashion (ie. "../../filename") and only properly cleans file paths that start with a leading slash. This fix adds that leading slash to all filepaths (relative or absolute) before the cleaning process, this ensures that no filepath can leave the confines of its parent by escaping out. The cleaning process removes any redundant double slashes that may arise because we are prepending the leading slash.

Which issue(s) this PR fixes:

No public issue

PR acceptance criteria:

• Test Coverage
  • Are your changes sufficiently tested, and are any applicable test cases added or updated to cover your changes?

Documentation (WIP)

• Does the REST API doc need to be updated with your changes?
• Does the registry library doc need to be updated with your changes?

How to test changes / Special notes to the reviewer:

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (35722ec) 35.58% compared to head (10b01bc) 35.58%.
Report is 2 commits behind head on main.

❗ Current head 10b01bc differs from pull request most recent head c58fc85. Consider uploading reports for the commit c58fc85 to get more accurate results

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #197   +/-   ##
=======================================
  Coverage   35.58%   35.58%           
=======================================
  Files           7        7           
  Lines        1360     1360           
=======================================
  Hits          484      484           
  Misses        829      829           
  Partials       47       47           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[michael-valdron]

With this fix, we should try removing the following line to enforce the safety of this with gosec: https://github.com/Jdubrick/registry-support/blob/10b01bc136bd082f59b1ac0c91797f4065792d7b/registry-library/library/util.go#L125

[michael-valdron]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Jdubrick, michael-valdron

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Jdubrick,michael-valdron]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cebarks]

This has been assigned CVE-2024-1485 by Red Hat.