Do not allow paths in "archiveFileName" property in package_index.json

cmaglie · cmaglie · commit 651824c20abb · 2020-07-24T17:40:00.000+02:00
diff --git a/arduino/resources/helpers.go b/arduino/resources/helpers.go
@@ -20,6 +20,7 @@ import (
 	"os"
 
 	"github.com/arduino/go-paths-helper"
+	"github.com/pkg/errors"
 	"go.bug.st/downloader/v2"
 )
 
@@ -30,7 +31,14 @@ func (r *DownloadResource) ArchivePath(downloadDir *paths.Path) (*paths.Path, er
 	if err := staging.MkdirAll(); err != nil {
 		return nil, err
 	}
-	return staging.Join(r.ArchiveFileName), nil
+
+	// Filter out paths from file name
+	archiveFileName := paths.New(r.ArchiveFileName).Base()
+	archivePath := staging.Join(archiveFileName).Clean()
+	if archivePath.IsDir() {
+		return nil, errors.Errorf("invalid filename or exinsting directory: %s", archivePath)
+	}
+	return archivePath, nil
 }
 
 // IsCached returns true if the specified DownloadResource has already been downloaded
