From 4b1770fe7a3c77b662b496310083dea6ba460fc9 Mon Sep 17 00:00:00 2001
From: hub <code@hub.lol>
Date: Thu, 2 Feb 2023 22:14:24 +0100
Subject: [PATCH] verify overrides are extracted in bounds

---
 modrinth/mrpack/overrides.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/modrinth/mrpack/overrides.go b/modrinth/mrpack/overrides.go
index 970605d..484939f 100644
--- a/modrinth/mrpack/overrides.go
+++ b/modrinth/mrpack/overrides.go
@@ -3,7 +3,9 @@ package mrpack
 import (
 	"archive/zip"
 	"fmt"
+	"github.com/nothub/mrpack-install/util"
 	"io"
+	"log"
 	"os"
 	"path"
 	"path/filepath"
@@ -37,8 +39,15 @@ func ExtractOverrides(zipFile string, target string) error {
 		}
 
 		targetPath := path.Join(target, filePath)
+		ok, err := util.PathIsSubpath(targetPath, target)
+		if err != nil {
+			log.Println(err.Error())
+		}
+		if err != nil || !ok {
+			log.Fatalln("File path is not safe: " + targetPath)
+		}
 
-		err := os.MkdirAll(filepath.Dir(targetPath), 0755)
+		err = os.MkdirAll(filepath.Dir(targetPath), 0755)
 		if err != nil {
 			return err
 		}