From 187842214e4c72dbc166f796e4ba962ec8a2bf49 Mon Sep 17 00:00:00 2001
From: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Date: Tue, 5 May 2026 21:19:17 +0900
Subject: [PATCH] nsite: fix path traversal vulnerability in download command.

---
 nsite.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nsite.go b/nsite.go
index d97c0b0..aa5feb3 100644
--- a/nsite.go
+++ b/nsite.go
@@ -273,7 +273,11 @@ var nsite = &cli.Command{
 				signer := keyer.NewReadOnlySigner(pk)
 
 				for path, hash := range mnf.Paths {
-					fullPath := filepath.Join(outputDir, filepath.FromSlash(strings.TrimPrefix(path, "/")))
+					relPath := strings.TrimPrefix(path, "/")
+					if !filepath.IsLocal(relPath) {
+						return fmt.Errorf("manifest path %q escapes output directory", path)
+					}
+					fullPath := filepath.Join(outputDir, filepath.FromSlash(relPath))
 					if err := os.MkdirAll(filepath.Dir(fullPath), 0o755); err != nil {
 						return fmt.Errorf("failed to create %s: %w", filepath.Dir(fullPath), err)
 					}