fix: Stop using SecureJoin which messes up symlinks

Author: codablock

go.mod

@@ -3,7 +3,6 @@ module github.com/kluctl/go-embed-python
 go 1.19
 
 require (
-	github.com/cyphar/filepath-securejoin v0.2.4
 	github.com/gobwas/glob v0.2.3
 	github.com/klauspost/compress v1.17.7
 	github.com/rogpeppe/go-internal v1.12.0

go.sum

@@ -1,5 +1,3 @@
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

internal/tar.go

@@ -3,7 +3,6 @@ package internal
 import (
 	"archive/tar"
 	"fmt"
-	securejoin "github.com/cyphar/filepath-securejoin"
 	"io"
 	"io/fs"
 	"os"
@@ -22,12 +21,13 @@ func ExtractTarStream(r io.Reader, targetPath string) error {
 			return fmt.Errorf("ExtractTarStream: Next() failed: %w", err)
 		}
 
-		header.Name = filepath.FromSlash(header.Name)
-
-		p, err := securejoin.SecureJoin(targetPath, header.Name)
-		if err != nil {
-			return err
+		if !validRelPath(header.Name) {
+			return fmt.Errorf("tar contained invalid name error %q", header.Name)
 		}
+
+		p := filepath.FromSlash(header.Name)
+		p = filepath.Join(targetPath, p)
+
 		err = os.MkdirAll(filepath.Dir(p), 0755)
 		if err != nil {
 			return err
@@ -67,6 +67,13 @@ func ExtractTarStream(r io.Reader, targetPath string) error {
 	return nil
 }
 
+func validRelPath(p string) bool {
+	if p == "" || strings.Contains(p, `\`) || strings.HasPrefix(p, "/") || strings.Contains(p, "../") {
+		return false
+	}
+	return true
+}
+
 func AddToTar(tw *tar.Writer, pth string, name string, filter func(h *tar.Header, size int64) (*tar.Header, error)) error {
 	fi, err := os.Lstat(pth)
 	if err != nil {