Update relative path check when extracting tar archives (chainguard-d…

…ev#656) Signed-off-by: egibs <[email protected]>
egibs · Nov 23, 2024 · d1f4b00 · d1f4b00
1 parent f81741f
commit d1f4b00
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/pkg/action/archive.go b/pkg/action/archive.go
@@ -150,8 +150,8 @@ func extractTar(ctx context.Context, d string, f string) error {
 		}
 
 		clean := filepath.Clean(header.Name)
-		if filepath.IsAbs(clean) || strings.Contains(clean, "..") {
-			return fmt.Errorf("invalid file path: %s", header.Name)
+		if filepath.IsAbs(clean) || strings.Contains(clean, "../") {
+			return fmt.Errorf("path is absolute or contains a relative path traversal: %s", clean)
 		}
 
 		target := filepath.Join(d, clean)