From 6f0f9e95972f1f87cff75a0a3ddcd1a73836540c Mon Sep 17 00:00:00 2001
From: Iesan Remus <iesanremus@Iesans-MacBook-Pro.local>
Date: Wed, 17 Sep 2025 09:20:12 +0300
Subject: [PATCH] BAU-28233 Fixed the Path Traversal issue from SelfUpdate.php
 file

---
 src/Codeception/Command/SelfUpdate.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Codeception/Command/SelfUpdate.php b/src/Codeception/Command/SelfUpdate.php
index 82e1f9925c..2b7f4ea075 100644
--- a/src/Codeception/Command/SelfUpdate.php
+++ b/src/Codeception/Command/SelfUpdate.php
@@ -178,7 +178,13 @@ protected function retrieveLatestPharFile(OutputInterface $output)
                 $phar = new \Phar($temp);
                 // free the variable to unlock the file
                 unset($phar);
-                rename($temp, $this->filename);
+                // Before using $this->filename in rename
+                $realFilename = realpath($this->filename);
+                if ($realFilename === false || strpos($realFilename, getcwd()) !== 0) {
+                    throw new \Exception('Invalid target filename for update.');
+                }
+                rename($temp, $realFilename);
+                $this->filename = $realFilename;
             } else {
                 throw new \Exception('Request failed.');
             }