Skip to content

Commit

Permalink
fix: disallow use of .. in tar file paths
Browse files Browse the repository at this point in the history
  • Loading branch information
@alethenorio @snowytoxa
alethenorio authored and snowytoxa committed Oct 13, 2022
1 parent 3182c05 commit 16b49a3
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion sgtool/file.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,9 +331,11 @@ func (s *fileState) extractTar(reader io.Reader) error {
if name, ok := s.archiveFiles[dstName]; ok {
dstName = name
}

//nolint:gosec // allow traversal into archive
path := filepath.Join(s.dstPath, dstName)
if strings.Contains(path, "..") {
return fmt.Errorf("encountered .. inside tar filepath (%s). For security reasons, this is not allowed", path)
}

switch header.Typeflag {
case tar.TypeDir:
Expand Down

0 comments on commit 16b49a3

Please sign in to comment.