Sanitize archive entry paths before writing to disk | Critiq Docs

#Metadata

Rule ID: go.security.tar-path-traversal
Severity: high
Confidence: 0.8
Languages: go
Presets: security, strict
Stability: experimental
Applies to: block
Tags: archive, go, rules-catalog, security

#Why it matters

Writing `hdr.Name` directly enables `../` traversal that escapes intended extraction directories.

#Remediation

Join destinations using a fixed root with `filepath.Join`, reject absolute paths, and always apply `filepath.Base` before `os.Create`.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/go/go.security.tar-path-traversal.rule.yaml.

Back to directory Open rule in repository