Skip to content

Commit 9f6bc5d

Browse files
JoibelJoibel
authored
Merge commit from fork
Signed-off-by: Alan Clucas <[email protected]>
1 parent 5223924 commit 9f6bc5d

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

workflow/executor/executor.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -945,11 +945,18 @@ func untar(tarPath string, destPath string) error {
945945
continue
946946
}
947947
target := filepath.Join(dest, filepath.Clean(header.Name))
948+
if !strings.HasPrefix(target, filepath.Clean(dest)+string(os.PathSeparator)) {
949+
return fmt.Errorf("illegal file path: %s", header.Name)
950+
}
948951
if err := os.MkdirAll(filepath.Dir(target), 0o755); err != nil && os.IsExist(err) {
949952
return err
950953
}
951954
switch header.Typeflag {
952955
case tar.TypeSymlink:
956+
linkTarget := filepath.Join(filepath.Dir(target), header.Linkname)
957+
if !strings.HasPrefix(filepath.Clean(linkTarget), filepath.Clean(dest)+string(os.PathSeparator)) {
958+
return fmt.Errorf("illegal symlink target: %s -> %s", header.Name, header.Linkname)
959+
}
953960
err := os.Symlink(header.Linkname, target)
954961
if err != nil {
955962
return err

0 commit comments

Comments
 (0)