[BUG] TAR.GZ extraction lacks path traversal check that ZIP extraction has

[Cute0110]

Project

term-challenge

Description

The ZIP extraction checks for path traversal (..), but the TAR extraction does NOT perform the same check, creating inconsistent security handling.

Error Observation

ZIP packages with path traversal are caught, but TAR.GZ packages with the same attack are not detected.

Error Message

Debug Logs

System Information

Version: 0.1.0

## Operating System
  OS: Ubuntu 24.04.3 LTS
  Kernel: 6.8.0-79-generic
  Arch: x86_64

## Hardware
  CPU: AMD Ryzen 9 5950X 16-Core Processor (4 cores)
  RAM: 11 GB

## Build Environment
  Rust: rustc 1.92.0 (ded5c06cf 2025-12-08)
  Target: x86_64

Screenshots

No response

Steps to Reproduce

1. Open src/validation/package.rs
2. ZIP extraction (lines 207-220) has path traversal check:

if raw_name.contains("..") || raw_name.starts_with('/') {
    // Handle path traversal
}

3. TAR extraction (lines 251-294) has NO such check

Expected Behavior

TAR extraction should have the same path traversal check as ZIP.

Actual Behavior

A malicious TAR.GZ archive with paths like ../../../etc/passwd bypasses extraction-time validation.

Additional Context

Security inconsistency between ZIP and TAR handling.

[echobt]

Issue validated. The reported problem has been confirmed in the codebase. A Pull Request with the fix has been submitted: PlatformNetwork/term-challenge#67.