From b3948553e9c6b8bcbbd7756daa79479ec29bcffe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ois=C3=ADn=20Peppard?=
 <102725207+Ushcode@users.noreply.github.com>
Date: Tue, 15 Jul 2025 10:50:11 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 1: Arbitrary file
 access during archive extraction ("Zip Slip")

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../cmclinnovations/stack/clients/docker/DockerClient.java  | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/stack-clients/src/main/java/com/cmclinnovations/stack/clients/docker/DockerClient.java b/stack-clients/src/main/java/com/cmclinnovations/stack/clients/docker/DockerClient.java
index 85391b99..d697b801 100644
--- a/stack-clients/src/main/java/com/cmclinnovations/stack/clients/docker/DockerClient.java
+++ b/stack-clients/src/main/java/com/cmclinnovations/stack/clients/docker/DockerClient.java
@@ -493,7 +493,11 @@ public Map<String, byte[]> retrieveFiles(String containerId, String remoteDirPat
             TarArchiveEntry tarArchiveEntry;
             while (null != (tarArchiveEntry = tarArchiveInputStream.getNextTarEntry())) {
                 if (!tarArchiveEntry.isDirectory()) {
-                    files.put(remoteDirPath + tarArchiveEntry.getName().replaceFirst("^[^/]*/", ""),
+                    Path entryPath = Path.of(remoteDirPath, tarArchiveEntry.getName().replaceFirst("^[^/]*/", "")).normalize();
+                    if (!entryPath.startsWith(Path.of(remoteDirPath).normalize())) {
+                        throw new IOException("Invalid tar entry: " + tarArchiveEntry.getName());
+                    }
+                    files.put(entryPath.toString(),
                             tarArchiveInputStream.readAllBytes());
                 }
             }