security: fix checksum grep anchoring and tar path traversal in github-auth.sh (#2213)

* security: fix checksum grep anchoring and tar path traversal in github-auth.sh

- Anchor grep with -F " ${tarball}" to prevent partial filename matches
  in checksum validation (e.g. foo.tar.gz matching foo.tar.gz.sig)
- Add pre-extraction validation rejecting tarballs with absolute paths
  or ../ traversal components (CWE-22), cross-platform (GNU + BSD tar)

Fixes #2211
Fixes #2212

Agent: security-auditor
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix: anchor checksum grep with two-space prefix and EOL to prevent partial match

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

---------

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

sh/shared/github-auth.sh

@@ -208,7 +208,7 @@ _download_and_install_gh() {
 
     # Extract expected checksum for our tarball from the checksums file
     local expected_checksum
-    expected_checksum=$(grep "${tarball}" "${checksums_file}" | awk '{print $1}')
+    expected_checksum=$(grep "  ${tarball}"'$' "${checksums_file}" | awk '{print $1}')
     if [[ -z "${expected_checksum}" ]]; then
         log_error "Checksum for ${tarball} not found in checksums.txt"
         rm -rf "${tmpdir}"
@@ -228,6 +228,14 @@ _download_and_install_gh() {
 
     log_info "SHA256 checksum verified for ${tarball}"
 
+    # Defense-in-depth: reject tarballs containing absolute paths or ../ traversal
+    # (CWE-22: path traversal). This check is cross-platform (GNU + BSD tar).
+    if tar -tzf "${tmpdir}/${tarball}" | grep -qE '(^/|\.\.)'; then
+        log_error "Tarball contains absolute paths or path traversal — refusing to extract"
+        rm -rf "${tmpdir}"
+        return 1
+    fi
+
     tar -xzf "${tmpdir}/${tarball}" -C "${tmpdir}" || {
         log_error "Failed to extract ${tarball}"
         rm -rf "${tmpdir}"