From 76c29fe745176a7fc4cb43e1ad5a267ac534a1a3 Mon Sep 17 00:00:00 2001
From: Andrew Fasano <fasano@mit.edu>
Date: Mon, 12 Feb 2024 18:16:46 -0500
Subject: [PATCH] Bugfix: Check symlink safety relative to link name in tarfile
 extraction

---
 unblob/handlers/archive/_safe_tarfile.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/unblob/handlers/archive/_safe_tarfile.py b/unblob/handlers/archive/_safe_tarfile.py
index 0ecc2e081e..2ddc8af2b7 100644
--- a/unblob/handlers/archive/_safe_tarfile.py
+++ b/unblob/handlers/archive/_safe_tarfile.py
@@ -83,9 +83,10 @@ def extract(self, tarinfo: tarfile.TarInfo, extract_root: Path):  # noqa: C901
                     "Converted to extraction relative path.",
                 )
                 tarinfo.linkname = f"./{tarinfo.linkname}"
+
             if not is_safe_path(
                 basedir=extract_root,
-                path=extract_root / tarinfo.linkname,
+                path=extract_root / Path(tarinfo.name).parent / tarinfo.linkname,
             ):
                 self.record_problem(
                     tarinfo,