fix: pre-extraction path traversal check in install.sh

[ether-btc]

Summary

Fixes #1250.

The vulnerability

The installer had no path traversal protection. A malicious mirror or compromised download could serve a tar archive containing ../../etc/cron.d/malware and overwrite arbitrary filesystem paths.

The fix

Use tar -tf to list archive contents before extraction. Block and exit if any entry contains path traversal patterns (../, /./, ..):

if tar -tf "$ARCHIVE" | grep -qE '\.\./|\./|\.\.$'; then
  error "Blocked: path traversal attempt detected in archive"
fi

This is a single pre-extraction check with no architectural changes.

References

• CWE-22: Path Traversal
• Reported via upstream security audit

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

H Hermes seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}