From a5fc23818320f7cab65c9c02c8a9682db268e05f Mon Sep 17 00:00:00 2001
From: /tmp <vernell@securityuniverse.id>
Date: Wed, 11 Jun 2025 18:31:11 +0700
Subject: [PATCH] Update release.go

---
 release/release.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/release/release.go b/release/release.go
index d0b79ed95..dba40bd82 100644
--- a/release/release.go
+++ b/release/release.go
@@ -1529,7 +1529,15 @@ func untargz(src, dst string) {
 
 		check(err, "read from tar file")
 
-		path := filepath.Join(dst, header.Name)
+		cleanedName := filepath.Clean(header.Name)
+		if strings.HasPrefix(cleanedName, "..") || filepath.IsAbs(cleanedName) {
+			log.Fatalf("invalid file path in tar archive: %v", header.Name)
+		}
+
+		path := filepath.Join(dst, cleanedName)
+		if !strings.HasPrefix(path, filepath.Clean(dst)+string(os.PathSeparator)) {
+			log.Fatalf("extraction path escapes destination directory: %v", path)
+		}
 
 		switch header.Typeflag {
 		case tar.TypeDir: