Version 2.

No-Issue Signed-off-by: James Tanner <[email protected]>
ansible · Dec 5, 2023 · f48c08e · f48c08e
1 parent d044bf1
commit f48c08e
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/galaxy_importer/collection.py b/galaxy_importer/collection.py
@@ -163,6 +163,9 @@ def _extract_archive(fileobj, extract_dir):
         for item in tf.getmembers():
             if item.name.startswith("/") or "../" in item.name:
                 raise exc.ImporterError("Invalid file paths detected.")
-            if item.linkname and (item.linkname.startswith("/") or "../" in item.linkname):
-                raise exc.ImporterError("Invalid linkname detected.")
+            if item.linkname:
+                # Ensure the link target is within the extraction root
+                link_target = os.path.normpath(os.path.join(extract_dir, item.linkname))
+                if not link_target.startswith(os.path.abspath(extract_dir)):
+                    raise exc.ImporterError("Invalid link target detected.")
         tf.extractall(extract_dir)