From d1f4b0052eb3cba23152da50ec54bd4d881bb3a5 Mon Sep 17 00:00:00 2001 From: Evan Gibler <20933572+egibs@users.noreply.github.com> Date: Sat, 23 Nov 2024 14:37:09 -0600 Subject: [PATCH] Update relative path check when extracting tar archives (#656) Signed-off-by: egibs <20933572+egibs@users.noreply.github.com> --- pkg/action/archive.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/action/archive.go b/pkg/action/archive.go index 0460a653..2024be71 100644 --- a/pkg/action/archive.go +++ b/pkg/action/archive.go @@ -150,8 +150,8 @@ func extractTar(ctx context.Context, d string, f string) error { } clean := filepath.Clean(header.Name) - if filepath.IsAbs(clean) || strings.Contains(clean, "..") { - return fmt.Errorf("invalid file path: %s", header.Name) + if filepath.IsAbs(clean) || strings.Contains(clean, "../") { + return fmt.Errorf("path is absolute or contains a relative path traversal: %s", clean) } target := filepath.Join(d, clean)