From 3c2ec896f82a3ebb3f974a1c78e815d41d6e6722 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Thu, 4 May 2023 17:20:22 -0700
Subject: [PATCH] cmd/cruntar: avoid writing files outside archive

---
 cmd/cruntar/main.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cmd/cruntar/main.go b/cmd/cruntar/main.go
index abdcc4d..0ee5052 100644
--- a/cmd/cruntar/main.go
+++ b/cmd/cruntar/main.go
@@ -92,6 +92,13 @@ func processFile(tfr *tar.Reader, hdr *tar.Header, top string) error {
 			return err
 		}
 	case tar.TypeSymlink:
+		path := linkTarget(hdr.Linkname, top)
+		if ok, err := filepath.Match(top+"/*", filepath.Clean(path)); !ok {
+			return fmt.Errorf("symlink %s isn't in %s", hdr.Linkname, top)
+		} else if err != nil {
+			return err
+		}
+
 		err := os.Symlink(linkTarget(hdr.Linkname, top), filePath)
 		if err != nil {
 			return err