Security: Don't allow tar files containing a ".."

2025-10-31 00:07:43 +02:00 · 2022-08-07 00:26:18 +12:00
parent 788e390e01
commit 544f0175d9
1 changed files with 5 additions and 0 deletions
--- a/updater/targz.go
+++ b/updater/targz.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 	"syscall"
 )

@@ -184,6 +185,10 @@ func extract(filePath string, directory string) error {
 		}

 		fileInfo := header.FileInfo()
+		// paths could contain a '..', is used in a file system operations
+		if strings.Contains(fileInfo.Name(), "..") {
+			continue
+		}
 		dir := filepath.Join(directory, filepath.Dir(header.Name))
 		filename := filepath.Join(dir, fileInfo.Name())