Summary
The install.sh extraction pattern is insufficient for path traversal prevention.
Issue
Current code uses:
This is a glob matching files starting with .., not a path traversal check. Additionally, the check runs after extraction — damage is already done by then.
Correct approach
Use tar -tf to list contents before extraction:
# List all files without extracting
if tar -tf "$archive" | grep -qE '\.\./|\./|\.\.$'; then
echo "Blocked: path traversal attempt in archive"
exit 1
fi
tar -xf "$archive"
Why this matters
Users who download RTK via tarball from releases are exposed to path traversal if a malicious mirror is compromised. The fix is a single pre-extraction check with no architectural changes.
References
- CWE-22: Path Traversal
- Similar issue in curl's
--remote-name-all behavior
Summary
The install.sh extraction pattern is insufficient for path traversal prevention.
Issue
Current code uses:
find -name '..*'This is a glob matching files starting with
.., not a path traversal check. Additionally, the check runs after extraction — damage is already done by then.Correct approach
Use
tar -tfto list contents before extraction:Why this matters
Users who download RTK via tarball from releases are exposed to path traversal if a malicious mirror is compromised. The fix is a single pre-extraction check with no architectural changes.
References
--remote-name-allbehavior