From 239ec404d348280b50bbf671327709e8857fc5f4 Mon Sep 17 00:00:00 2001
From: Milan Nikolic <gen2brain@gmail.com>
Date: Tue, 21 Jun 2022 20:22:56 +0200
Subject: [PATCH] Fix path traversal vulnerability, issue #21

---
 unarr.go | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/unarr.go b/unarr.go
index d8bcf31..aaec72e 100644
--- a/unarr.go
+++ b/unarr.go
@@ -8,6 +8,7 @@ import (
 	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"time"
 	"unsafe"
 
@@ -170,7 +171,7 @@ func (a *Archive) Offset() int64 {
 
 // Name returns the name of the current entry as UTF-8 string
 func (a *Archive) Name() string {
-	return unarrc.EntryGetName(a.archive)
+	return toValidName(unarrc.EntryGetName(a.archive))
 }
 
 // RawName returns the name of the current entry as raw string
@@ -263,3 +264,14 @@ func (a *Archive) List() (contents []string, err error) {
 
 	return
 }
+
+func toValidName(name string) string {
+	p := filepath.Clean(name)
+	if strings.HasPrefix(p, "/") {
+		p = p[len("/"):]
+	}
+	for strings.HasPrefix(p, "../") {
+		p = p[len("../"):]
+	}
+	return p
+}