Skip to content

Commit

Permalink
[security] Fix path injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@quentinguidee
quentinguidee committed Sep 25, 2023
1 parent 2c770d4 commit 45f3b28
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions pkg/varchiver/tar.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,10 @@ func Unzip(src string, dest string) error {

p := path.Join(dest, header.Name)

if !filepath.IsLocal(p) {
return ErrMustBeLocal
}

if header.FileInfo().IsDir() {
err = os.MkdirAll(p, os.ModePerm)
if err != nil {
Expand Down Expand Up @@ -108,6 +112,10 @@ func Untar(src string, dest string) error {

p := path.Join(dest, header.Name)

if !filepath.IsLocal(p) {
return ErrMustBeLocal
}

switch header.Typeflag {
case tar.TypeDir:
err = os.MkdirAll(p, os.ModePerm)
Expand Down

0 comments on commit 45f3b28

Please sign in to comment.