address issue raised by CodeQL by checking for invalid paths in tarball

harp-intel · harp-intel · commit a4073d579517 · 2024-10-24T16:56:59.000-07:00
diff --git a/internal/util/util.go b/internal/util/util.go
@@ -355,6 +355,10 @@ func ExtractTGZ(tarballPath, destDir string, stripComponent bool) error {
 		if err != nil {
 			return err
 		}
+		// Check for invalid paths, there should never be a ".." in the path
+		if strings.Contains(header.Name, "..") {
+			return fmt.Errorf("tarball contains invalid path: %s", header.Name)
+		}
 
 		target := filepath.Join(destDir, header.Name)
 

Original file line number	Diff line number	Diff line change
`@@ -355,6 +355,10 @@ func ExtractTGZ(tarballPath, destDir string, stripComponent bool) error {`
`355`	`355`	`if err != nil {`
`356`	`356`	`return err`
`357`	`357`	`}`
	`358`	`+ // Check for invalid paths, there should never be a ".." in the path`
	`359`	`+ if strings.Contains(header.Name, "..") {`
	`360`	`+ return fmt.Errorf("tarball contains invalid path: %s", header.Name)`
	`361`	`+ }`
`358`	`362`
`359`	`363`	`target := filepath.Join(destDir, header.Name)`
`360`	`364`