From 91c7a6e50ca153919ad8d6f2252fa988f50bb0e0 Mon Sep 17 00:00:00 2001
From: Alex Goodman <wagoodman@users.noreply.github.com>
Date: Fri, 16 Feb 2024 09:49:07 -0500
Subject: [PATCH] ensure prefix check for path traversal has path separator

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>
---
 pkg/file/tarutil.go      |  2 +-
 pkg/file/tarutil_test.go | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/pkg/file/tarutil.go b/pkg/file/tarutil.go
index 2b3ed217..54bf0a87 100644
--- a/pkg/file/tarutil.go
+++ b/pkg/file/tarutil.go
@@ -147,7 +147,7 @@ func (v tarVisitor) visit(entry TarFileEntry) error {
 	target := filepath.Join(v.destination, entry.Header.Name)
 
 	// we should not allow for any destination path to be outside of where we are unarchiving to
-	if !strings.HasPrefix(target, v.destination) {
+	if !strings.HasPrefix(target, v.destination+string(os.PathSeparator)) {
 		return fmt.Errorf("potential path traversal attack with entry: %q", entry.Header.Name)
 	}
 
diff --git a/pkg/file/tarutil_test.go b/pkg/file/tarutil_test.go
index 9e6032a0..721de817 100644
--- a/pkg/file/tarutil_test.go
+++ b/pkg/file/tarutil_test.go
@@ -279,6 +279,20 @@ func Test_tarVisitor_visit(t *testing.T) {
 			},
 			wantErr: require.Error,
 		},
+		{
+			name: "regular file with possible path traversal errors out (same prefix)",
+			entry: TarFileEntry{
+				Sequence: 0,
+				Header: tar.Header{
+					Typeflag: tar.TypeReg,
+					Name:     "../tmp-file.txt",
+					Linkname: "",
+					Size:     2,
+				},
+				Reader: strings.NewReader("hi"),
+			},
+			wantErr: require.Error,
+		},
 		{
 			name: "directory is created",
 			entry: TarFileEntry{