From 69296e727af3a78f82e67b846142ee442f579499 Mon Sep 17 00:00:00 2001
From: Martyanov Andrey <37772440+martyanovandrey@users.noreply.github.com>
Date: Mon, 18 Nov 2024 22:25:53 +0500
Subject: [PATCH] fix: check if output parameter is located inside root (#896)

---
 src/services/includers/batteries/unarchive.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/services/includers/batteries/unarchive.ts b/src/services/includers/batteries/unarchive.ts
index 9de15a25..a743da0a 100644
--- a/src/services/includers/batteries/unarchive.ts
+++ b/src/services/includers/batteries/unarchive.ts
@@ -4,6 +4,8 @@ import {Headers, extract} from 'tar-stream';
 
 import type {PassThrough} from 'stream';
 
+import {getRealPath} from '@diplodoc/transform/lib/utilsFS';
+
 import {IncluderFunctionParams} from '../../../models';
 
 const name = 'unarchive';
@@ -87,7 +89,14 @@ async function includerFunction(params: IncluderFunctionParams<Params>) {
 
     const contentPath = index === 0 ? join(writeBasePath, input) : join(readBasePath, input);
 
-    const writePath = join(writeBasePath, output);
+    const writePath = getRealPath(join(writeBasePath, output));
+
+    if (!writePath.startsWith(writeBasePath)) {
+        throw new UnarchiveIncluderError(
+            `Expected the output parameter to be located inside project root, got: ${output}`,
+            output,
+        );
+    }
 
     try {
         await pipeline(contentPath, writePath);