Skip to content

Commit 710a4ed

Browse files
committed
fix: add path traversal check in xrar function
1 parent d16ad56 commit 710a4ed

1 file changed

Lines changed: 7 additions & 0 deletions

File tree

opensca/walk/rar.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import (
55
"io"
66
"os"
77
"path/filepath"
8+
"strings"
89

910
"github.com/xmirrorsecurity/opensca-cli/v3/opensca/logs"
1011

@@ -47,6 +48,12 @@ func xrar(ctx context.Context, filter ExtractFileFilter, input, output string) b
4748
continue
4849
}
4950

51+
// avoid path traversal
52+
if !strings.HasPrefix(fp, filepath.Clean(output)+string(os.PathSeparator)) {
53+
logs.Warn("Invalid file path: %s", fp)
54+
continue
55+
}
56+
5057
if filter != nil && !filter(fp) {
5158
continue
5259
}

0 commit comments

Comments
 (0)