fix zizmor issues

Signed-off-by: abzcoding <[email protected]>

Author: abzcoding

.github/workflows/build.yml

@@ -6,11 +6,16 @@ on:
   pull_request:
     branches: [ "master" ]
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+
 
     - name: Set up Go
       uses: actions/setup-go@v4

.github/workflows/release.yml

@@ -4,6 +4,7 @@ on:
   push:
     tags:
       - 'v*'
+permissions: {}
 
 jobs:
   goreleaser:
@@ -13,11 +14,13 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
           go-version: '1.24'
+          cache: false
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v5

util.go

@@ -75,15 +75,10 @@ func FolderOf(urlStr string) string {
 	fullQualifyPath, err := filepath.Abs(filepath.Join(homeDir, dataFolder, cleanPath))
 	FatalCheck(err)
 
-	// Double-check to ensure full qualify path is CHILD of safe path
-	// to prevent directory traversal attack
-	relative, err := filepath.Rel(safePath, fullQualifyPath)
-	FatalCheck(err)
-
-	if strings.Contains(relative, "..") {
-		FatalCheck(errors.New("you may be a victim of directory traversal path attack"))
-		return "" // Return is redundant because FatalCheck will panic
+	if !strings.HasPrefix(fullQualifyPath, safePath) {
+		FatalCheck(errors.New("path traversal attempt detected"))
 	}
+
 	return fullQualifyPath
 }