From 47b65d6fe0f97ac4b9cc5935048e34eeb9e1d3bf Mon Sep 17 00:00:00 2001
From: Evan Su <48808396+HACKERALERT@users.noreply.github.com>
Date: Mon, 27 Jan 2025 01:12:14 -0500
Subject: [PATCH] return err on ".." in zip item file path

Unlikely to happen since go stdlib zip doesn't do it, so if it does happen, better safe than sorry.
---
 src/Picocrypt.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/Picocrypt.go b/src/Picocrypt.go
index be04bc9..0f953a7 100644
--- a/src/Picocrypt.go
+++ b/src/Picocrypt.go
@@ -2388,7 +2388,10 @@ func unpackArchive(zipPath string) error {
 	startTime := time.Now()
 
 	for _, f := range reader.File {
-		outPath := filepath.Join(extractDir, filepath.Clean(strings.ReplaceAll(f.Name, "\\", "/")))
+		if strings.Contains(f.Name, "..") {
+			return errors.New("potentially malicious zip item path")
+		}
+		outPath := filepath.Join(extractDir, f.Name)
 
 		// Make directory if current entry is a folder
 		if f.FileInfo().IsDir() {
@@ -2399,12 +2402,16 @@ func unpackArchive(zipPath string) error {
 	}
 
 	for i, f := range reader.File {
+		if strings.Contains(f.Name, "..") {
+			return errors.New("potentially malicious zip item path")
+		}
+
 		// Already handled above
 		if f.FileInfo().IsDir() {
 			continue
 		}
 
-		outPath := filepath.Join(extractDir, filepath.Clean(strings.ReplaceAll(f.Name, "\\", "/")))
+		outPath := filepath.Join(extractDir, f.Name)
 
 		// Otherwise create necessary parent directories
 		if err := os.MkdirAll(filepath.Dir(outPath), 0755); err != nil {