Sanitize file target paths

In order to reduce risk of directory traversal attack
shipwright-io · Oct 13, 2023 · bcac4e5 · bcac4e5
1 parent 4bd3b46
commit bcac4e5
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go
@@ -240,6 +240,10 @@ func Unpack(in io.Reader, targetPath string) error {
 		}
 
 		var target = filepath.Join(targetPath, header.Name)
+		if strings.Contains(target, "..") {
+			return fmt.Errorf("targetPath validation failed, path contains unexpected special elements")
+		}
+
 		switch header.Typeflag {
 		case tar.TypeDir:
 			if err := os.MkdirAll(target, os.FileMode(header.Mode)); err != nil {