From bcac4e581fc9fd05a749d6653b1276f995b63fe8 Mon Sep 17 00:00:00 2001
From: encalada <encalada@de.ibm.com>
Date: Fri, 13 Oct 2023 15:55:16 +0200
Subject: [PATCH] Sanitize file target paths

In order to reduce risk of directory traversal attack
---
 pkg/bundle/bundle.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pkg/bundle/bundle.go b/pkg/bundle/bundle.go
index 44a932222..38cf216ed 100644
--- a/pkg/bundle/bundle.go
+++ b/pkg/bundle/bundle.go
@@ -240,6 +240,10 @@ func Unpack(in io.Reader, targetPath string) error {
 		}
 
 		var target = filepath.Join(targetPath, header.Name)
+		if strings.Contains(target, "..") {
+			return fmt.Errorf("targetPath validation failed, path contains unexpected special elements")
+		}
+
 		switch header.Typeflag {
 		case tar.TypeDir:
 			if err := os.MkdirAll(target, os.FileMode(header.Mode)); err != nil {