chore(internal/utils): moved gzip header containing ".." check above.

Signed-off-by: Federico Di Pierro <[email protected]>
falcosecurity · Nov 9, 2023 · 8f4d92d · 8f4d92d
1 parent 9803df6
commit 8f4d92d
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/internal/utils/extract.go b/internal/utils/extract.go
@@ -49,6 +49,10 @@ func ExtractTarGz(gzipStream io.Reader, destDir string, stripPathComponents int)
 			return nil, err
 		}
 
+		if strings.Contains(header.Name, "..") {
+			return nil, fmt.Errorf("not allowed relative path in tar archive")
+		}
+
 		strippedName := stripComponents(header.Name, stripPathComponents)
 
 		switch header.Typeflag {
@@ -59,10 +63,6 @@ func ExtractTarGz(gzipStream io.Reader, destDir string, stripPathComponents int)
 			}
 			files = append(files, d)
 		case tar.TypeReg:
-			if strings.Contains(header.Name, "..") {
-				return nil, fmt.Errorf("not allowed relative path in tar archive")
-			}
-
 			f := filepath.Join(destDir, strippedName)
 			outFile, err := os.Create(filepath.Clean(f))
 			if err != nil {