From 05a05ed0d8c3948291dcc72713a88801eb9615d8 Mon Sep 17 00:00:00 2001
From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Date: Thu, 22 Feb 2024 15:53:01 -0600
Subject: [PATCH 1/2] :fix: path traversal bug

- fixes https://github.com/defenseunicorns/uds-cli/issues/438

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 src/pkg/sources/tarball.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/pkg/sources/tarball.go b/src/pkg/sources/tarball.go
index 7e13746b..59f866b6 100644
--- a/src/pkg/sources/tarball.go
+++ b/src/pkg/sources/tarball.go
@@ -216,8 +216,13 @@ func (t *TarballBundle) extractPkgFromBundle() ([]string, error) {
 		})
 
 		path := desc.Annotations[ocispec.AnnotationTitle]
+		cleanPath := filepath.Clean(path)
+		if strings.Contains(cleanPath, "..") {
+			// Log the attempt or handle it as needed
+			return fmt.Errorf("invalid path detected: %s", path)
+		}
 		size := desc.Size
-		layerDst := filepath.Join(t.TmpDir, path)
+		layerDst := filepath.Join(t.TmpDir, cleanPath)
 		if err := zarfUtils.CreateDirectory(filepath.Dir(layerDst), 0700); err != nil {
 			return err
 		}

From 7311cc3ea258916e8d8160f18d43bfa029749a9f Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Fri, 23 Feb 2024 09:29:30 -0600
Subject: [PATCH 2/2] Update src/pkg/sources/tarball.go

Co-authored-by: UncleGedd <42304551+UncleGedd@users.noreply.github.com>
---
 src/pkg/sources/tarball.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pkg/sources/tarball.go b/src/pkg/sources/tarball.go
index 59f866b6..eabeaaa9 100644
--- a/src/pkg/sources/tarball.go
+++ b/src/pkg/sources/tarball.go
@@ -218,7 +218,7 @@ func (t *TarballBundle) extractPkgFromBundle() ([]string, error) {
 		path := desc.Annotations[ocispec.AnnotationTitle]
 		cleanPath := filepath.Clean(path)
 		if strings.Contains(cleanPath, "..") {
-			// Log the attempt or handle it as needed
+			// throw an error for dangerous looking paths
 			return fmt.Errorf("invalid path detected: %s", path)
 		}
 		size := desc.Size