From ccc325f90855f0bcc6cc5ee96e483783db99c11f Mon Sep 17 00:00:00 2001
From: hirokuni-kitahara <hirokuni.kitahara1@ibm.com>
Date: Tue, 3 Dec 2024 17:08:35 +0900
Subject: [PATCH] fix tar path issue

Signed-off-by: hirokuni-kitahara <hirokuni.kitahara1@ibm.com>
---
 pkg/util/image.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/util/image.go b/pkg/util/image.go
index 1df1cc4..f6c77fc 100644
--- a/pkg/util/image.go
+++ b/pkg/util/image.go
@@ -147,6 +147,12 @@ func GetYAMLsInArtifact(blob []byte) ([][]byte, error) {
 			return nil, errors.Wrap(err, "tarReader.Next() failed while decompressing tar gz")
 		}
 
+		// Skip files that have path starting with ".."
+		// Ref: CWE-22
+		if !strings.Contains(header.Name, "..") {
+			continue
+		}
+
 		switch header.Typeflag {
 		case tar.TypeDir:
 			fpath := filepath.Join(dir, header.Name)