From d3301c9bc26a357dff44590e92f2918ef7e48b31 Mon Sep 17 00:00:00 2001
From: bethanyj28 <bethanyj28@github.com>
Date: Fri, 23 Feb 2024 08:42:23 -0500
Subject: [PATCH] update path parsing

---
 packages/artifact/src/internal/download/download-artifact.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/artifact/src/internal/download/download-artifact.ts b/packages/artifact/src/internal/download/download-artifact.ts
index f040d2f5..62e8577e 100644
--- a/packages/artifact/src/internal/download/download-artifact.ts
+++ b/packages/artifact/src/internal/download/download-artifact.ts
@@ -94,7 +94,8 @@ export async function streamExtractExternal(
       })
       .pipe(unzip.Parse())
       .on('entry', (entry: unzip.Entry) => {
-        const fullPath = path.normalize(path.join(directory, entry.path))
+        const entryPath = path.normalize(entry.path).replace(/^(\.\.(\/|\\|$))+/, '')
+        const fullPath = path.join(directory, entryPath)
         core.debug(`Extracting artifact entry: ${fullPath}`)
         if (entry.type === 'Directory') {
           promises.push(resolveOrCreateDirectory(fullPath).then(() => {}))