From baca000c39edbca589fa9889f15dc29d6851037d Mon Sep 17 00:00:00 2001
From: Radek Simko <radek.simko@gmail.com>
Date: Wed, 18 Jan 2023 14:24:38 +0000
Subject: [PATCH] internal/releasesjson: Prevent path traversal (#92)

---
 internal/releasesjson/downloader.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/releasesjson/downloader.go b/internal/releasesjson/downloader.go
index 28c5457..8b2097d 100644
--- a/internal/releasesjson/downloader.go
+++ b/internal/releasesjson/downloader.go
@@ -13,6 +13,7 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"strings"
 
 	"github.com/hashicorp/hc-install/internal/httpclient"
 )
@@ -145,6 +146,11 @@ func (d *Downloader) DownloadAndUnpack(ctx context.Context, pv *ProductVersion,
 	defer r.Close()
 
 	for _, f := range r.File {
+		if strings.Contains(f.Name, "..") {
+			// While we generally trust the source ZIP file
+			// we still reject path traversal attempts as a precaution.
+			continue
+		}
 		srcFile, err := f.Open()
 		if err != nil {
 			return pkgFilePath, err