From b163844aee60eb96e841739c9fb7efe4593731c1 Mon Sep 17 00:00:00 2001
From: Chris Doherty <chris.doherty4@gmail.com>
Date: Fri, 17 Nov 2023 11:28:52 -0600
Subject: [PATCH] Patch malicious tarballs

Tarballs with files containing directory traversal components can write
files to unintended locations. This change ensures the Untar function
will error when a given tarball has a traversal component (..).

See https://cwe.mitre.org/data/definitions/22.html
---
 pkg/tar/untar.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/tar/untar.go b/pkg/tar/untar.go
index 5cf746994d6ba..9c2502f2ac1fc 100644
--- a/pkg/tar/untar.go
+++ b/pkg/tar/untar.go
@@ -2,8 +2,10 @@ package tar
 
 import (
 	"archive/tar"
+	"fmt"
 	"io"
 	"os"
+	"strings"
 )
 
 func UntarFile(tarFile, dstFolder string) error {
@@ -32,6 +34,12 @@ func Untar(source io.Reader, router Router) error {
 			continue
 		}
 
+		// Prevent malicous directory traversals.
+		// https://cwe.mitre.org/data/definitions/22.html
+		if !strings.Contains(header.Name, "..") {
+			return fmt.Errorf("file in tarball contains a directory traversal component (..): %v", header.Name)
+		}
+
 		info := header.FileInfo()
 		if info.IsDir() {
 			if err = os.MkdirAll(path, info.Mode()); err != nil {