Fix zipslips for cpio, tar and zip

[rminnich]

Fixes the following CVEs:

• CVE-2020-7669
• CVE-2020-7666
• CVE-2020-7665

A zipslip is when a archive contains a path which escapes the extract
directory. This can be done with absolute paths / or with parent
directories ... It is a security problem.

These commands will no longer extract those directories and instead
print a warning.

Signed-off-by: Ryan O'Leary ryanoleary@google.com

[codecov]

Codecov Report

Merging #2344 (2da3b84) into main (ecb36fa) will increase coverage by 0.00%.
The diff coverage is 59.09%.

@@           Coverage Diff           @@
##             main    #2344   +/-   ##
=======================================
  Coverage   72.18%   72.19%           
=======================================
  Files         386      387    +1     
  Lines       39843    39859   +16     
=======================================
+ Hits        28762    28775   +13     
- Misses      11081    11084    +3     

Impacted Files	Coverage Δ
pkg/cpio/fs_unix.go	32.17% <0.00%> (-0.87%)	⬇️
pkg/tarutil/tar.go	63.82% <50.00%> (-0.46%)	⬇️
pkg/uzip/uzip.go	77.22% <57.14%> (-1.94%)	⬇️
pkg/upath/safejoin.go	100.00% <100.00%> (ø)
cmds/core/mv/mv.go	77.27% <0.00%> (-2.28%)	⬇️
pkg/strace/tracer.go	68.22% <0.00%> (+2.33%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ecb36fa...2da3b84. Read the comment docs.

[n2vi]

The remediation falsely prohibits a file such as "...tmp", does it not?
This probably isn't worth fixing yet.

TODO(ehg) Someday I should confirm there is no related issue with symbolic links.

[n2vi]

See also nativeRelPath in golang.org/x/build/cmd/buildlet/buildlet.go, i.e.

relPath == ".." || strings.HasPrefix(relPath, ".."+string(filepath.Separator)