From 0e986a7c0aa1fc1c5891fbfc72572cade796374b Mon Sep 17 00:00:00 2001
From: Vivek Reddy <vivekrsplunk@github.com>
Date: Fri, 11 Oct 2024 12:23:30 -0700
Subject: [PATCH] modification to support gcp in test

Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
---
 test/testenv/gcputils.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/test/testenv/gcputils.go b/test/testenv/gcputils.go
index 06d82e3fe..26ea6c828 100644
--- a/test/testenv/gcputils.go
+++ b/test/testenv/gcputils.go
@@ -5,6 +5,7 @@ import (
 	"compress/gzip"
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 	"path/filepath"
@@ -390,6 +391,15 @@ func untarFile(src, dest string) error {
 
 	for {
 		header, err := tarReader.Next()
+		if err != nil {
+			return err
+		}
+
+		// Sanitize the file path to prevent Zip Slip
+		targetPath := filepath.Join(dest, header.Name)
+		if !strings.HasPrefix(targetPath, filepath.Clean(dest)+string(os.PathSeparator)) {
+			return fmt.Errorf("invalid file path: %s", targetPath)
+		}
 
 		if err == io.EOF {
 			break // End of archive
@@ -398,7 +408,7 @@ func untarFile(src, dest string) error {
 			return err
 		}
 
-		targetPath := filepath.Join(dest, header.Name)
+		targetPath = filepath.Join(dest, header.Name)
 
 		switch header.Typeflag {
 		case tar.TypeDir: