Handle absolute paths and .. in paths and linknames.

No-Issue Signed-off-by: James Tanner <[email protected]>
ansible · Dec 5, 2023 · d044bf1 · d044bf1
1 parent 2225280
commit d044bf1
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 3 deletions.
diff --git a/Makefile b/Makefile
@@ -17,7 +17,7 @@ lint/format/black:
 # ---------------------------------------------------------
 
 .PHONY: test
-test: lint test/unit test/functional
+test: lint test/unit test/integration
 	@echo "ALL MAKE TARGET TESTS SUCCESSFUL"
 
 .PHONY: test/unit

diff --git a/galaxy_importer/collection.py b/galaxy_importer/collection.py
@@ -160,6 +160,9 @@ def _import_collection(file, filename, file_url, logger, cfg):
 def _extract_archive(fileobj, extract_dir):
     fileobj.seek(0)
     with tarfile.open(fileobj=fileobj, mode="r") as tf:
-        if any((item.startswith("/") or item.startswith("../")) for item in tf.getnames()):
-            raise exc.ImporterError("Invalid file paths detected.")
+        for item in tf.getmembers():
+            if item.name.startswith("/") or "../" in item.name:
+                raise exc.ImporterError("Invalid file paths detected.")
+            if item.linkname and (item.linkname.startswith("/") or "../" in item.linkname):
+                raise exc.ImporterError("Invalid linkname detected.")
         tf.extractall(extract_dir)