From 43f29379c3c782d801cb17bb9f6c86ee33bd4a50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleksandar=20=C4=8Cekrli=C4=87?=
 <aleksandar.cekrlic@gmail.com>
Date: Wed, 29 May 2024 21:08:17 +0200
Subject: [PATCH] Fix archive extraction - skip entries that attempt directory
 traversal (#152)

---
 cmd/manager/bin.go | 7 +++++++
 fstore/gzip.go     | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/cmd/manager/bin.go b/cmd/manager/bin.go
index b2f2f58c..d552c481 100644
--- a/cmd/manager/bin.go
+++ b/cmd/manager/bin.go
@@ -12,6 +12,7 @@ import (
 	"os/user"
 	"path/filepath"
 	"runtime"
+	"strings"
 )
 
 func installBinary(url, folder string) {
@@ -51,6 +52,12 @@ func installBinary(url, folder string) {
 			log.Fatal(err)
 		}
 
+		// Do not allow directory traversal as it's a security issue.
+		if strings.Contains(header.Name, "..") {
+			log.Printf("skipping archive entry with disallowed path")
+			continue
+		}
+
 		path := filepath.Join(targetPath, header.Name)
 		switch header.Typeflag {
 		case tar.TypeDir:
diff --git a/fstore/gzip.go b/fstore/gzip.go
index 0b311ba4..04ab933f 100644
--- a/fstore/gzip.go
+++ b/fstore/gzip.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 func (h *FStore) unpackArchive(filename string, destination string) error {
@@ -55,6 +56,12 @@ func (h *FStore) unpackArchive(filename string, destination string) error {
 			break
 		}
 
+		// Do not allow directory traversal as it's a security issue.
+		if strings.Contains(entry.Name, "..") {
+			h.log.Warn().Str("archive", filename).Str("entry", entry.Name).Msg("skipping archive entry with disallowed path")
+			continue
+		}
+
 		typ := entry.Typeflag
 
 		h.log.Debug().