From 9a2bcf38f246966df21aa0c76c20c283344b7830 Mon Sep 17 00:00:00 2001
From: Valery Piashchynski <piashchynski.valery@gmail.com>
Date: Thu, 25 Jul 2024 15:22:18 +0200
Subject: [PATCH] fix: improper limitation of a pathname

Signed-off-by: Valery Piashchynski <piashchynski.valery@gmail.com>
---
 github/repo.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/github/repo.go b/github/repo.go
index 9b247a0..0e71369 100644
--- a/github/repo.go
+++ b/github/repo.go
@@ -141,6 +141,10 @@ func (r *GHRepo) DownloadTemplate(tmp, version string) (string, error) { //nolin
 	}
 
 	outDir := rc.File[0].Name
+	if strings.Contains(outDir, "..") {
+		return "", errors.New("CWE-22, output dir from a zip file can't contain a '..' filesystem operation, more info: https://cwe.mitre.org/data/definitions/22.html")
+	}
+
 	for _, zf := range rc.File {
 		r.log.Debug("extracting repository", slog.String("file", zf.Name), slog.String("path", dest))
 		err = extract(dest, zf)