modification to support gcp in test

Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
splunk · Oct 11, 2024 · 0e986a7 · 0e986a7
1 parent 43c8f76
commit 0e986a7
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/test/testenv/gcputils.go b/test/testenv/gcputils.go
@@ -5,6 +5,7 @@ import (
 	"compress/gzip"
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -390,6 +391,15 @@ func untarFile(src, dest string) error {
 
 	for {
 		header, err := tarReader.Next()
+		if err != nil {
+			return err
+		}
+
+		// Sanitize the file path to prevent Zip Slip
+		targetPath := filepath.Join(dest, header.Name)
+		if !strings.HasPrefix(targetPath, filepath.Clean(dest)+string(os.PathSeparator)) {
+			return fmt.Errorf("invalid file path: %s", targetPath)
+		}
 
 		if err == io.EOF {
 			break // End of archive
@@ -398,7 +408,7 @@ func untarFile(src, dest string) error {
 			return err
 		}
 
-		targetPath := filepath.Join(dest, header.Name)
+		targetPath = filepath.Join(dest, header.Name)
 
 		switch header.Typeflag {
 		case tar.TypeDir: