From e06e7f204cccc2b53a7e0a90106e55e3af5a97d2 Mon Sep 17 00:00:00 2001
From: maride <git@maride.cc>
Date: Tue, 27 Apr 2021 00:25:59 +0200
Subject: [PATCH] Poorly protect against directory traversal

---
 logistic/unpacker.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/logistic/unpacker.go b/logistic/unpacker.go
index 8c771bf..3d3ae9f 100644
--- a/logistic/unpacker.go
+++ b/logistic/unpacker.go
@@ -10,6 +10,7 @@ import (
 	"log"
 	"os"
 	"path"
+	"strings"
 )
 
 // UnpackInto decrompesses the given bytes with DEFLATE, then unpacks the result as TAR archive into the targetDir
@@ -66,6 +67,12 @@ func unpackSingleFile(raw []byte, targetDirectory string, filename string) {
 		return
 	}
 
+	// Check if some funny stuff is going on
+	if strings.Contains(targetDirectory, "..") || strings.Contains(filename, "..") {
+		log.Printf("Skipping traversal filename: %s", filename)
+		return
+	}
+
 	// Check if the target directory already exists - otherwise we create it
 	dirOfFile := path.Dir(fmt.Sprintf("%s%c%s", targetDirectory, os.PathSeparator, filename))
 	_, dirInfoErr := os.Stat(dirOfFile)