From 10efcb740c8dbe871a80d6d8f997a6c8dac298b8 Mon Sep 17 00:00:00 2001
From: Dengke Tang <dengket@amazon.com>
Date: Thu, 11 Jan 2024 15:38:50 -0800
Subject: [PATCH] I don't know////

---
 builder/core/fetch.py     | 20 +++++++++++++++++++-
 builder/imports/golang.py |  2 +-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/builder/core/fetch.py b/builder/core/fetch.py
index d3cd615b1..96a7095b8 100644
--- a/builder/core/fetch.py
+++ b/builder/core/fetch.py
@@ -236,7 +236,25 @@ def fetch_and_extract(url, archive_path, extract_path):
     print('Extracting {} to {}'.format(archive_path, extract_path))
     if tarfile.is_tarfile(archive_path):
         with tarfile.open(archive_path) as tar:
-            tar.extractall(extract_path)
+            def is_within_directory(directory, target):
+
+                abs_directory = os.path.abspath(directory)
+                abs_target = os.path.abspath(target)
+
+                prefix = os.path.commonprefix([abs_directory, abs_target])
+
+                return prefix == abs_directory
+
+            def safe_extract(tar, path=".", members=None, *, numeric_owner=False):
+
+                for member in tar.getmembers():
+                    member_path = os.path.join(path, member.name)
+                    if not is_within_directory(path, member_path):
+                        raise Exception("Attempted Path Traversal in Tar File")
+
+                tar.extractall(path, members, numeric_owner=numeric_owner)
+
+            safe_extract(tar, extract_path)
 
     elif zipfile.is_zipfile(archive_path):
         with zipfile.ZipFile(archive_path) as zip:
diff --git a/builder/imports/golang.py b/builder/imports/golang.py
index 1832768b9..c21bc3284 100644
--- a/builder/imports/golang.py
+++ b/builder/imports/golang.py
@@ -13,7 +13,7 @@
     'linux-armv7': 'https://go.dev/dl/go1.21.5.linux-armv6l.tar.gz',
     'linux-armv8': 'https://go.dev/dl/go1.21.5.linux-arm64.tar.gz',
     'linux-x86': 'https://go.dev/dl/go1.21.5.linux-386.tar.gz',
-    'linux-x64': 'https://go.dev/dl/go1.21.5.linux-amd64.tar.gz',
+    'linux-x64': 'https://go.dev/dl/go1.20.13.linux-amd64.tar.gz',
     'openbsd-x64': 'https://go.dev/dl/go1.21.5.linux-amd64.tar.gz',
     'windows-x64': 'https://go.dev/dl/go1.21.5.windows-amd64.zip',
     'windows-x86': 'https://go.dev/dl/go1.21.5.windows-386.zip',