From 3756b6644b78654d094c4173fefcfb1a572608a8 Mon Sep 17 00:00:00 2001
From: Zeroday BYTE <github@zerodaysec.org>
Date: Tue, 22 Apr 2025 06:57:54 +0700
Subject: [PATCH] Update artifacts.go

---
 cmd/rofl/build/artifacts.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/cmd/rofl/build/artifacts.go b/cmd/rofl/build/artifacts.go
index c0cc2b70..e7d371a0 100644
--- a/cmd/rofl/build/artifacts.go
+++ b/cmd/rofl/build/artifacts.go
@@ -182,7 +182,16 @@ FILES:
 			}
 		case tar.TypeSymlink:
 			// Symbolic link.
-			if err = os.Symlink(header.Linkname, path); err != nil {
+			var resolvedLinkname string
+			resolvedLinkname, err = filepath.EvalSymlinks(filepath.Join(filepath.Dir(path), header.Linkname))
+			if err != nil {
+				return fmt.Errorf("failed to resolve symbolic link: %w", err)
+			}
+			relpath, err := filepath.Rel(filepath.Dir(path), resolvedLinkname)
+			if err != nil || strings.HasPrefix(filepath.Clean(relpath), "..") {
+				return fmt.Errorf("symbolic link points outside the target directory")
+			}
+			if err = os.Symlink(resolvedLinkname, path); err != nil {
 				return fmt.Errorf("failed to create soft link: %w", err)
 			}
 		case tar.TypeChar, tar.TypeBlock, tar.TypeFifo: