From 4e2c93d1a1948d38509154b2a1876296c7b37b53 Mon Sep 17 00:00:00 2001 From: Oleg Bespalov Date: Fri, 9 Feb 2024 09:01:19 +0100 Subject: [PATCH] fix zip-slip noise in tests --- lib/testutils/untar.go | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/lib/testutils/untar.go b/lib/testutils/untar.go index 306ab4a11522..5b9989a9c48b 100644 --- a/lib/testutils/untar.go +++ b/lib/testutils/untar.go @@ -38,9 +38,12 @@ func Untar(t *testing.T, fileSystem fsext.Fs, fileName string, destination strin continue } - // as long as this code in a test helper, we can safely - // omit G305: File traversal when extracting zip/tar archive - target := filepath.Join(destination, header.Name) //nolint:gosec + fileName := header.Name + if !filepath.IsLocal(fileName) { + return errors.New("tar file contains non-local file names") + } + + target := filepath.Join(destination, filepath.Clean(fileName)) switch header.Typeflag { case tar.TypeDir: