From 8ce3f76537881ccd0e9f4850eb2181a094fed11c Mon Sep 17 00:00:00 2001
From: martyanov-av <martyanov-av@yandex-team.ru>
Date: Mon, 18 Nov 2024 17:58:51 +0300
Subject: [PATCH 1/2] fix: check if output parameter is located inside root

---
 src/services/includers/batteries/unarchive.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/services/includers/batteries/unarchive.ts b/src/services/includers/batteries/unarchive.ts
index 9de15a25..d04ae90d 100644
--- a/src/services/includers/batteries/unarchive.ts
+++ b/src/services/includers/batteries/unarchive.ts
@@ -89,6 +89,10 @@ async function includerFunction(params: IncluderFunctionParams<Params>) {
 
     const writePath = join(writeBasePath, output);
 
+    if(!writePath.startsWith(writeBasePath)){
+        throw new UnarchiveIncluderError(`Invalid output parameter: ${output}. Provide includer with output parameter, which is located inside the documentation`, output);
+    }
+
     try {
         await pipeline(contentPath, writePath);
     } catch (err) {

From bd3479fceafa19b6c2ff269e12169eb945bf2bf3 Mon Sep 17 00:00:00 2001
From: martyanov-av <martyanov-av@yandex-team.ru>
Date: Mon, 18 Nov 2024 18:49:49 +0300
Subject: [PATCH 2/2] chore: check for symbolic

---
 src/services/includers/batteries/unarchive.ts | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/services/includers/batteries/unarchive.ts b/src/services/includers/batteries/unarchive.ts
index d04ae90d..a743da0a 100644
--- a/src/services/includers/batteries/unarchive.ts
+++ b/src/services/includers/batteries/unarchive.ts
@@ -4,6 +4,8 @@ import {Headers, extract} from 'tar-stream';
 
 import type {PassThrough} from 'stream';
 
+import {getRealPath} from '@diplodoc/transform/lib/utilsFS';
+
 import {IncluderFunctionParams} from '../../../models';
 
 const name = 'unarchive';
@@ -87,10 +89,13 @@ async function includerFunction(params: IncluderFunctionParams<Params>) {
 
     const contentPath = index === 0 ? join(writeBasePath, input) : join(readBasePath, input);
 
-    const writePath = join(writeBasePath, output);
+    const writePath = getRealPath(join(writeBasePath, output));
 
-    if(!writePath.startsWith(writeBasePath)){
-        throw new UnarchiveIncluderError(`Invalid output parameter: ${output}. Provide includer with output parameter, which is located inside the documentation`, output);
+    if (!writePath.startsWith(writeBasePath)) {
+        throw new UnarchiveIncluderError(
+            `Expected the output parameter to be located inside project root, got: ${output}`,
+            output,
+        );
     }
 
     try {