Merge pull request from GHSA-h8g5-vhm4-wx6g

app/controllers/courses_controller.rb

@@ -1,6 +1,7 @@
 require "archive"
 require "csv"
 require "fileutils"
+require "pathname"
 require "statistics"
 
 class CoursesController < ApplicationController
@@ -1107,15 +1108,18 @@ def extract_tar_for_moss(tmp_dir, external_tar, archive)
         pathname = Archive.get_entry_name(entry)
         next if Archive.looks_like_directory?(pathname)
 
-        destination = if archive
-                        File.join(extFilesDir,
-                                  pathname)
+        output_dir = if archive
+                       extFilesDir
                       else
-                        File.join(baseFilesDir, pathname)
+                        baseFilesDir
                       end
-        pathname.gsub!(%r{/}, "-")
+        output_file = File.join(output_dir, pathname)
+
+        # skip if the file lies outside the archive
+        next unless Archive.in_dir?(Pathname(output_file), Pathname(output_dir))
+
         # make sure all subdirectories are there
-        File.open(destination, "wb") do |out|
+        File.open(output_file, "wb") do |out|
           out.write Archive.read_entry_file(entry)
           begin
             out.fsync

lib/archive.rb

@@ -232,4 +232,15 @@ def self.create_zip(paths)
   def self.looks_like_directory?(pathname)
     pathname.ends_with?("/")
   end
+
+  # Check if a path lies (strictly) within a directory
+  # Takes two Pathname objects
+  # https://gist.github.com/henrik/48e8bb74de9d887770dfb3cc6efaa9b2
+  def self.in_dir?(path, dir)
+    path_parts = path.expand_path.each_filename.to_a
+    dir_parts = dir.expand_path.each_filename.to_a
+    return false if path_parts == dir_parts
+
+    dir_parts.zip(path_parts).all? { |x, y| x == y }
+  end
 end