From ba3ef3be7ba3440f28116585bc467b9eacd3edc2 Mon Sep 17 00:00:00 2001
From: Zeroday BYTE <pwnosecauth@gmail.com>
Date: Sun, 20 Apr 2025 05:41:39 +0700
Subject: [PATCH] Update FileUtils.java

---
 src/main/java/com/dtsx/astra/cli/utils/FileUtils.java | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/main/java/com/dtsx/astra/cli/utils/FileUtils.java b/src/main/java/com/dtsx/astra/cli/utils/FileUtils.java
index 7acd57e..fc31301 100644
--- a/src/main/java/com/dtsx/astra/cli/utils/FileUtils.java
+++ b/src/main/java/com/dtsx/astra/cli/utils/FileUtils.java
@@ -108,8 +108,12 @@ public static void extractTarArchiveInAstraCliHome(File tarFile)
                   TarArchiveEntry tarEntry;
                   while ((tarEntry = tis.getNextTarEntry()) != null) {
                       // Escaping to remove invalid entry
-                      File outputFile = Paths.get(AstraCliUtils.ASTRA_HOME + File.separator +
-                              Paths.get(tarEntry.getName()).normalize()).toFile();
+                      Path outputPath = Paths.get(AstraCliUtils.ASTRA_HOME).resolve(Paths.get(tarEntry.getName()).normalize());
+                      if (!outputPath.normalize().startsWith(Paths.get(AstraCliUtils.ASTRA_HOME))) {
+                          LoggerShell.warn("Skipping invalid tar entry: " + tarEntry.getName());
+                          continue;
+                      }
+                      File outputFile = outputPath.toFile();
                       if (tarEntry.isDirectory()) {
                         if (!outputFile.exists() && outputFile.mkdirs())
                           LoggerShell.debug(CREATE_FOLDER_MSG