From 58b800df4fb77190d163ab3b8263307fba2caa97 Mon Sep 17 00:00:00 2001
From: Andrew Mak <makandre@ca.ibm.com>
Date: Sat, 21 Sep 2019 22:19:35 -0400
Subject: [PATCH] prevent path traversal

Signed-off-by: Andrew Mak <makandre@ca.ibm.com>
---
 utils/extensions.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/utils/extensions.go b/utils/extensions.go
index f35d3860..8b9380b3 100644
--- a/utils/extensions.go
+++ b/utils/extensions.go
@@ -36,14 +36,15 @@ func RunCommand(projectPath string, command ExtensionCommand) error {
 		return err
 	}
 	installerPath := filepath.Dir(cwd)
-	commandBin := filepath.Join(installerPath, command.Command)
+	commandName := filepath.Base(command.Command) // prevent path traversal
+	commandBin := filepath.Join(installerPath, commandName)
 	cmd := exec.Command(commandBin, command.Args...)
 	cmd.Dir = projectPath
 	output := new(bytes.Buffer)
 	cmd.Stdout = output
 	cmd.Stderr = output
 	if err := cmd.Start(); err != nil { // after 'Start' the program is continued and script is executing in background
-		log.Println("There was a problem running the command:", command.Command)
+		log.Println("There was a problem running the command:", commandName)
 		return err
 	}
 	log.Printf("Please wait while the project is initialized... %s", output.String())