From 6d088154b81255d2bfd14db2e0659f62806ed1de Mon Sep 17 00:00:00 2001
From: Matej Vasek <mvasek@redhat.com>
Date: Tue, 12 Dec 2023 22:59:37 +0100
Subject: [PATCH] fixup: validate path in tar header

Signed-off-by: Matej Vasek <mvasek@redhat.com>
---
 hack/update-builder.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hack/update-builder.go b/hack/update-builder.go
index 5104c69bfd..702c55f1ae 100644
--- a/hack/update-builder.go
+++ b/hack/update-builder.go
@@ -604,7 +604,12 @@ func downloadTarball(tarballUrl, destDir string) error {
 			return fmt.Errorf("cannot read tar header: %w", err)
 		}
 
-		dest := filepath.Join(destDir, filepath.Join(strings.Split(hdr.Name, "/")[1:]...))
+		n := filepath.Clean(filepath.Join(strings.Split(hdr.Name, "/")[1:]...))
+		if strings.HasPrefix(n, "..") {
+			return fmt.Errorf("path in tar header escapes")
+		}
+		dest := filepath.Join(destDir, n)
+
 		switch hdr.Typeflag {
 		case tar.TypeReg:
 			var f *os.File